<div dir="ltr">Hi,<div><br></div><div>First, I want to thank you Noel for your help and patience. I know some of my questions are probably dumb but though not an excuse, the sheer amount of information to process is huge and intimidating (especially when discovering graphics like this <a href="https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg">https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg</a>) and I just cannot figure / get a high level view of how ip routes, tables, packets, etc. work together, all the more with the interactions between drivers in the network stack. I also want to apologize for providing dumps which were in contradiction with the setup I was describing -> this was the result of trying everything I could think of without fully understanding what I was doing.</div><div><br></div><div>However, after reading all the articles and information you provided, it looks like I managed to successfully connect to the other site but I cannot access any computer of this other site. I suspect it has to do with packet routing but I cannot find a way to correct my setup. When I ping or telnet a machine (on port 3389 where I should be able to connect via RDP), the command hangs.</div><div><br></div><div>For the record, I am setting up a Site to Site VPN with IKEv1 and PSK. I am using a computer running Ubuntu 16.04 with IP 192.168.1.44 on a local network behind an ISP-provided router. The router has a DHCP range of address 1 to 100 and NAT forwarding has been configured for ports 500 and 4500 on this router towards my computer. Beyond the router is internet.</div><div><br></div><div>You will find below the configuration files and the result of running a bash from a fresh boot.</div><div><br></div><div>Thanks in advance for all the help anybody can provide,</div><div><br></div><div>Kind regards,</div><div><br></div><div>Charles</div><div><br></div><div><br></div><div><div>ipsec.conf</div><div><br></div><div># ipsec.conf - strongSwan IPsec configuration file</div><div><br></div><div># basic configuration</div><div><br></div><div>config setup</div><div><span style="white-space:pre"> </span># strictcrlpolicy=yes</div><div><span style="white-space:pre"> </span># uniqueids = no</div><div><br></div><div># Add connections here.</div><div><br></div><div># Sample VPN connections</div><div><br></div><div>#conn sample-self-signed</div><div># leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a></div><div># leftcert=selfCert.der</div><div># leftsendcert=never</div><div># right=192.168.0.2</div><div># rightsubnet=<a href="http://10.2.0.0/16">10.2.0.0/16</a></div><div># rightcert=peerCert.der</div><div># auto=start</div><div><br></div><div>#conn sample-with-ca-cert</div><div># leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a></div><div># leftcert=myCert.pem</div><div># right=192.168.0.2</div><div># rightsubnet=<a href="http://10.2.0.0/16">10.2.0.0/16</a></div><div># rightid="C=CH, O=Linux strongSwan CN=peer name"</div><div># auto=start</div><div><br></div><div>conn ciscoios</div><div> keyexchange=ikev1</div><div> keyingtries=%forever</div><div> leftauth=psk</div><div> rightauth=psk</div><div> leftsubnet=<a href="http://192.168.1.0/24">192.168.1.0/24</a></div><div> leftid=93.XXX.XXX.XXX</div><div> auto=route</div><div> rightsubnet=<a href="http://172.21.148.0/28">172.21.148.0/28</a> #network behind IOS</div><div> right=83.XXX.XXX.XXX #IKEID sent by IOS</div><div> ike=aes256-sha-modp1024 #P1: modp1024 = DH group 2</div><div> esp=aes256-sha1-modp1024 #P2</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>ipsec.secrets</div><div><br></div><div># This file holds shared secrets or RSA private keys for authentication.</div><div><br></div><div># RSA private key for this host, authenticating it to any other host</div><div># which knows the public part.</div><div><br></div><div># 93.XXX.XXX.XXX 83.XXX.XXX.XXX YYYYYYYY</div><div>83.XXX.XXX.XXX : PSK "YYYYYYYY"</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>ipsec.sql</div><div>-not found-</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>auth.log</div><div><br></div><div>Oct 23 10:03:40 Nachalsys charon: 12[IKE] initiating Main Mode IKE_SA ciscoios[1] to 83.XXX.XXX.XXX</div><div>Oct 23 10:03:40 Nachalsys charon: 05[IKE] IKE_SA ciscoios[1] established between 192.168.1.44[93.XXX.XXX.XXX]...83.XXX.XXX.XXX[83.XXX.XXX.XXX]</div><div>Oct 23 10:03:41 Nachalsys charon: 14[IKE] CHILD_SA ciscoios{1} established with SPIs c86d1e57_i 064d5231_o and TS <a href="http://192.168.1.0/24">192.168.1.0/24</a> === <a href="http://172.21.148.0/28">172.21.148.0/28</a></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>daemon.log</div><div>-not found-</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>root@Nachalsys ~ # sysctl net.ipv4.ip_forward=1</div><div>net.ipv4.ip_forward = 1</div><div>root@Nachalsys ~ # sysctl net.ipv6.conf.all.forwarding=1</div><div>net.ipv6.conf.all.forwarding = 1</div><div>root@Nachalsys ~ # iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT</div><div>root@Nachalsys ~ # ipsec up ciscoios</div><div>initiating Main Mode IKE_SA ciscoios[1] to 83.XXX.XXX.XXX</div><div>generating ID_PROT request 0 [ SA V V V V ]</div><div>sending packet: from 192.168.1.44[500] to 83.XXX.XXX.XXX[500] (216 bytes)</div><div>received packet: from 83.XXX.XXX.XXX[500] to 192.168.1.44[500] (128 bytes)</div><div>parsed ID_PROT response 0 [ SA V V ]</div><div>received NAT-T (RFC 3947) vendor ID</div><div>received FRAGMENTATION vendor ID</div><div>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]</div><div>sending packet: from 192.168.1.44[500] to 83.XXX.XXX.XXX[500] (244 bytes)</div><div>received packet: from 83.XXX.XXX.XXX[500] to 192.168.1.44[500] (304 bytes)</div><div>parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]</div><div>received Cisco Unity vendor ID</div><div>received XAuth vendor ID</div><div>received unknown vendor ID: f6:93:91:2c:ea:0a:16:46:54:24:cd:24:86:5c:90:e8</div><div>received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00</div><div>local host is behind NAT, sending keep alives</div><div>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]</div><div>sending packet: from 192.168.1.44[4500] to 83.XXX.XXX.XXX[4500] (108 bytes)</div><div>received packet: from 83.XXX.XXX.XXX[4500] to 192.168.1.44[4500] (92 bytes)</div><div>parsed ID_PROT response 0 [ ID HASH V ]</div><div>received DPD vendor ID</div><div>IKE_SA ciscoios[1] established between 192.168.1.44[93.XXX.XXX.XXX]...83.XXX.XXX.XXX[83.XXX.XXX.XXX]</div><div>scheduling reauthentication in 10082s</div><div>maximum IKE_SA lifetime 10622s</div><div>generating QUICK_MODE request 1172503876 [ HASH SA No KE ID ID ]</div><div>sending packet: from 192.168.1.44[4500] to 83.XXX.XXX.XXX[4500] (316 bytes)</div><div>received packet: from 83.XXX.XXX.XXX[4500] to 192.168.1.44[4500] (300 bytes)</div><div>parsed QUICK_MODE response 1172503876 [ HASH SA No KE ID ID ]</div><div>CHILD_SA ciscoios{1} established with SPIs c86d1e57_i 064d5231_o and TS <a href="http://192.168.1.0/24">192.168.1.0/24</a> === <a href="http://172.21.148.0/28">172.21.148.0/28</a></div><div>connection 'ciscoios' established successfully</div><div>root@Nachalsys ~ # ping 172.21.148.1</div><div>PING 172.21.148.1 (172.21.148.1) 56(84) bytes of data.</div><div>^C</div><div>--- 172.21.148.1 ping statistics ---</div><div>10 packets transmitted, 0 received, 100% packet loss, time 9217ms</div><div><br></div><div>1 root@Nachalsys ~ # telnet 172.21.148.1 3389 :(</div><div>Trying 172.21.148.1...</div><div>^X^C</div><div>130 root@Nachalsys ~ # :(</div><div>130 root@Nachalsys ~ # ipsec statusall :(</div><div>Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.10.0-37-generic, x86_64):</div><div> uptime: 3 minutes, since Oct 23 10:01:49 2017</div><div> malloc: sbrk 2568192, mmap 0, used 361488, free 2206704</div><div> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3</div><div> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown</div><div>Listening IP addresses:</div><div> 192.168.1.44</div><div>Connections:</div><div> ciscoios: %any...83.XXX.XXX.XXX IKEv1</div><div> ciscoios: local: [93.XXX.XXX.XXX] uses pre-shared key authentication</div><div> ciscoios: remote: [83.XXX.XXX.XXX] uses pre-shared key authentication</div><div> ciscoios: child: <a href="http://192.168.1.0/24">192.168.1.0/24</a> === <a href="http://172.21.148.0/28">172.21.148.0/28</a> TUNNEL</div><div>Security Associations (1 up, 0 connecting):</div><div> ciscoios[1]: ESTABLISHED 78 seconds ago, 192.168.1.44[93.XXX.XXX.XXX]...83.XXX.XXX.XXX[83.XXX.XXX.XXX]</div><div> ciscoios[1]: IKEv1 SPIs: 5701ca65606e4e4d_i* 46160bea31365403_r, pre-shared key reauthentication in 2 hours</div><div> ciscoios[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div> ciscoios{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c86d1e57_i 064d5231_o</div><div> ciscoios{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 1140 bytes_o (15 pkts, 22s ago), rekeying in 47 minutes</div><div> ciscoios{1}: <a href="http://192.168.1.0/24">192.168.1.0/24</a> === <a href="http://172.21.148.0/28">172.21.148.0/28</a></div><div>root@Nachalsys ~ # ipsec listall</div><div><br></div><div>List of registered IKE algorithms:</div><div><br></div><div> encryption: AES_CBC[aes] RC2_CBC[rc2] 3DES_CBC[openssl] CAMELLIA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl]</div><div> DES_CBC[openssl] DES_ECB[openssl] NULL[openssl]</div><div> integrity: HMAC_MD5_96[openssl] HMAC_MD5_128[openssl] HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl]</div><div> HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl]</div><div> HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc]</div><div> AES_XCBC_96[xcbc]</div><div> aead: AES_GCM_8[openssl] AES_GCM_12[openssl] AES_GCM_16[openssl]</div><div> hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD4[md4]</div><div> HASH_MD5[md5]</div><div> prf: PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl]</div><div> PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc]</div><div> PRF_CAMELLIA128_XCBC[xcbc]</div><div> dh-group: MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] MODP_3072[openssl]</div><div> MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl] MODP_1024_160[openssl]</div><div> MODP_768[openssl] MODP_CUSTOM[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl]</div><div> ECP_192[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl] ECP_384_BP[openssl] ECP_512_BP[openssl]</div><div> random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]</div><div> nonce-gen: [nonce]</div><div><br></div><div>List of loaded Plugins:</div><div><br></div><div>charon:</div><div> CUSTOM:libcharon</div><div> NONCE_GEN</div><div> CUSTOM:libcharon-sa-managers</div><div> CUSTOM:libcharon-receiver</div><div> CUSTOM:kernel-ipsec</div><div> CUSTOM:kernel-net</div><div> CUSTOM:libcharon-receiver</div><div> HASHER:HASH_SHA1</div><div> RNG:RNG_STRONG</div><div> CUSTOM:socket</div><div> CUSTOM:libcharon-sa-managers</div><div> HASHER:HASH_SHA1</div><div> RNG:RNG_WEAK</div><div>test-vectors:</div><div> CUSTOM:test-vectors</div><div>aes:</div><div> CRYPTER:AES_CBC-16</div><div> CRYPTER:AES_CBC-24</div><div> CRYPTER:AES_CBC-32</div><div>rc2:</div><div> CRYPTER:RC2_CBC-0</div><div>sha1:</div><div> HASHER:HASH_SHA1</div><div> PRF:PRF_KEYED_SHA1</div><div>sha2:</div><div> HASHER:HASH_SHA224</div><div> HASHER:HASH_SHA256</div><div> HASHER:HASH_SHA384</div><div> HASHER:HASH_SHA512</div><div>md4:</div><div> HASHER:HASH_MD4</div><div>md5:</div><div> HASHER:HASH_MD5</div><div>random:</div><div> RNG:RNG_STRONG</div><div> RNG:RNG_TRUE</div><div>nonce:</div><div> NONCE_GEN</div><div> RNG:RNG_WEAK</div><div>x509:</div><div> CERT_ENCODE:X509</div><div> HASHER:HASH_SHA1</div><div> CERT_DECODE:X509</div><div> HASHER:HASH_SHA1</div><div> PUBKEY:ANY</div><div> CERT_ENCODE:X509_AC</div><div> CERT_DECODE:X509_AC</div><div> CERT_ENCODE:X509_CRL</div><div> CERT_DECODE:X509_CRL</div><div> CERT_ENCODE:X509_OCSP_REQUEST</div><div> HASHER:HASH_SHA1</div><div> RNG:RNG_WEAK</div><div> CERT_DECODE:X509_OCSP_RESPONSE</div><div> CERT_ENCODE:PKCS10_REQUEST</div><div> CERT_DECODE:PKCS10_REQUEST</div><div>revocation:</div><div> CUSTOM:revocation</div><div> CERT_ENCODE:X509_OCSP_REQUEST (soft)</div><div> CERT_DECODE:X509_OCSP_RESPONSE (soft)</div><div> CERT_DECODE:X509_CRL (soft)</div><div> CERT_DECODE:X509 (soft)</div><div> FETCHER:(null) (soft)</div><div>constraints:</div><div> CUSTOM:constraints</div><div> CERT_DECODE:X509 (soft)</div><div>pubkey:</div><div> CERT_ENCODE:TRUSTED_PUBKEY</div><div> CERT_DECODE:TRUSTED_PUBKEY</div><div> PUBKEY:RSA (soft)</div><div> PUBKEY:ECDSA (soft)</div><div> PUBKEY:DSA (soft)</div><div>pkcs1:</div><div> PRIVKEY:RSA</div><div> PUBKEY:ANY</div><div> PUBKEY:RSA (soft)</div><div> PUBKEY:ECDSA (soft)</div><div> PUBKEY:DSA (soft)</div><div> PUBKEY:RSA</div><div>pkcs7:</div><div> CONTAINER_DECODE:PKCS7</div><div> CONTAINER_ENCODE:PKCS7_DATA</div><div> CONTAINER_ENCODE:PKCS7_SIGNED_DATA</div><div> CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA</div><div>pkcs8:</div><div> PRIVKEY:ANY</div><div> PRIVKEY:RSA</div><div> PRIVKEY:ECDSA</div><div>pkcs12:</div><div> CONTAINER_DECODE:PKCS12</div><div> CONTAINER_DECODE:PKCS7</div><div> CERT_DECODE:X509 (soft)</div><div> PRIVKEY:ANY (soft)</div><div> HASHER:HASH_SHA1 (soft)</div><div> CRYPTER:3DES_CBC-24 (soft)</div><div> CRYPTER:RC2_CBC-0 (soft)</div><div>pgp:</div><div> PRIVKEY:ANY</div><div> PRIVKEY:RSA</div><div> PUBKEY:ANY</div><div> PUBKEY:RSA</div><div> CERT_DECODE:PGP</div><div>dnskey:</div><div> PUBKEY:ANY</div><div> PUBKEY:RSA</div><div>sshkey:</div><div> PUBKEY:ANY</div><div> CERT_DECODE:TRUSTED_PUBKEY</div><div>pem:</div><div> PRIVKEY:ANY</div><div> PRIVKEY:ANY</div><div> HASHER:HASH_MD5 (soft)</div><div> PRIVKEY:RSA</div><div> PRIVKEY:RSA</div><div> HASHER:HASH_MD5 (soft)</div><div> PRIVKEY:ECDSA</div><div> PRIVKEY:ECDSA</div><div> HASHER:HASH_MD5 (soft)</div><div> PRIVKEY:DSA (not loaded)</div><div> PRIVKEY:DSA</div><div> HASHER:HASH_MD5 (soft)</div><div> PRIVKEY:BLISS (not loaded)</div><div> PRIVKEY:BLISS</div><div> PUBKEY:ANY</div><div> PUBKEY:ANY</div><div> PUBKEY:RSA</div><div> PUBKEY:RSA</div><div> PUBKEY:ECDSA</div><div> PUBKEY:ECDSA</div><div> PUBKEY:DSA (not loaded)</div><div> PUBKEY:DSA</div><div> PUBKEY:BLISS</div><div> CERT_DECODE:ANY</div><div> CERT_DECODE:X509 (soft)</div><div> CERT_DECODE:PGP (soft)</div><div> CERT_DECODE:X509</div><div> CERT_DECODE:X509</div><div> CERT_DECODE:X509_CRL</div><div> CERT_DECODE:X509_CRL</div><div> CERT_DECODE:X509_OCSP_REQUEST (not loaded)</div><div> CERT_DECODE:X509_OCSP_REQUEST</div><div> CERT_DECODE:X509_OCSP_RESPONSE</div><div> CERT_DECODE:X509_OCSP_RESPONSE</div><div> CERT_DECODE:X509_AC</div><div> CERT_DECODE:X509_AC</div><div> CERT_DECODE:PKCS10_REQUEST</div><div> CERT_DECODE:PKCS10_REQUEST</div><div> CERT_DECODE:TRUSTED_PUBKEY</div><div> CERT_DECODE:TRUSTED_PUBKEY</div><div> CERT_DECODE:PGP</div><div> CERT_DECODE:PGP</div><div> CONTAINER_DECODE:PKCS12</div><div> CONTAINER_DECODE:PKCS12</div><div>openssl:</div><div> CUSTOM:openssl-threading</div><div> CRYPTER:AES_CBC-16</div><div> CRYPTER:AES_CBC-24</div><div> CRYPTER:AES_CBC-32</div><div> CRYPTER:CAMELLIA_CBC-16</div><div> CRYPTER:CAMELLIA_CBC-24</div><div> CRYPTER:CAMELLIA_CBC-32</div><div> CRYPTER:CAST_CBC-0</div><div> CRYPTER:BLOWFISH_CBC-0</div><div> CRYPTER:3DES_CBC-24</div><div> CRYPTER:DES_CBC-8</div><div> CRYPTER:DES_ECB-8</div><div> CRYPTER:NULL-0</div><div> HASHER:HASH_MD4</div><div> HASHER:HASH_MD5</div><div> HASHER:HASH_SHA1</div><div> HASHER:HASH_SHA224</div><div> HASHER:HASH_SHA256</div><div> HASHER:HASH_SHA384</div><div> HASHER:HASH_SHA512</div><div> PRF:PRF_KEYED_SHA1</div><div> PRF:PRF_HMAC_MD5</div><div> PRF:PRF_HMAC_SHA1</div><div> PRF:PRF_HMAC_SHA2_256</div><div> PRF:PRF_HMAC_SHA2_384</div><div> PRF:PRF_HMAC_SHA2_512</div><div> SIGNER:HMAC_MD5_96</div><div> SIGNER:HMAC_MD5_128</div><div> SIGNER:HMAC_SHA1_96</div><div> SIGNER:HMAC_SHA1_128</div><div> SIGNER:HMAC_SHA1_160</div><div> SIGNER:HMAC_SHA2_256_128</div><div> SIGNER:HMAC_SHA2_256_256</div><div> SIGNER:HMAC_SHA2_384_192</div><div> SIGNER:HMAC_SHA2_384_384</div><div> SIGNER:HMAC_SHA2_512_256</div><div> SIGNER:HMAC_SHA2_512_512</div><div> AEAD:AES_GCM_8-16</div><div> AEAD:AES_GCM_8-24</div><div> AEAD:AES_GCM_8-32</div><div> AEAD:AES_GCM_12-16</div><div> AEAD:AES_GCM_12-24</div><div> AEAD:AES_GCM_12-32</div><div> AEAD:AES_GCM_16-16</div><div> AEAD:AES_GCM_16-24</div><div> AEAD:AES_GCM_16-32</div><div> DH:MODP_2048</div><div> DH:MODP_2048_224</div><div> DH:MODP_2048_256</div><div> DH:MODP_1536</div><div> DH:MODP_3072</div><div> DH:MODP_4096</div><div> DH:MODP_6144</div><div> DH:MODP_8192</div><div> DH:MODP_1024</div><div> DH:MODP_1024_160</div><div> DH:MODP_768</div><div> DH:MODP_CUSTOM</div><div> PRIVKEY:RSA</div><div> PRIVKEY:ANY</div><div> PRIVKEY_GEN:RSA</div><div> PUBKEY:RSA</div><div> PUBKEY:ANY</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5</div><div> PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1</div><div> PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1</div><div> CERT_DECODE:X509</div><div> PUBKEY:RSA (soft)</div><div> PUBKEY:ECDSA (soft)</div><div> PUBKEY:DSA (soft)</div><div> CERT_DECODE:X509_CRL</div><div> CONTAINER_DECODE:PKCS7</div><div> CONTAINER_DECODE:PKCS12</div><div> DH:ECP_256</div><div> DH:ECP_384</div><div> DH:ECP_521</div><div> DH:ECP_224</div><div> DH:ECP_192</div><div> DH:ECP_224_BP</div><div> DH:ECP_256_BP</div><div> DH:ECP_384_BP</div><div> DH:ECP_512_BP</div><div> PRIVKEY:ECDSA</div><div> PRIVKEY_GEN:ECDSA</div><div> PUBKEY:ECDSA</div><div> PRIVKEY_SIGN:ECDSA_WITH_NULL</div><div> PUBKEY_VERIFY:ECDSA_WITH_NULL</div><div> PRIVKEY_SIGN:ECDSA_WITH_SHA1_DER</div><div> PUBKEY_VERIFY:ECDSA_WITH_SHA1_DER</div><div> PRIVKEY_SIGN:ECDSA_WITH_SHA256_DER</div><div> PUBKEY_VERIFY:ECDSA_WITH_SHA256_DER</div><div> PRIVKEY_SIGN:ECDSA-256</div><div> PUBKEY_VERIFY:ECDSA-256</div><div> PRIVKEY_SIGN:ECDSA_WITH_SHA384_DER</div><div> PRIVKEY_SIGN:ECDSA_WITH_SHA512_DER</div><div> PUBKEY_VERIFY:ECDSA_WITH_SHA384_DER</div><div> PUBKEY_VERIFY:ECDSA_WITH_SHA512_DER</div><div> PRIVKEY_SIGN:ECDSA-384</div><div> PRIVKEY_SIGN:ECDSA-521</div><div> PUBKEY_VERIFY:ECDSA-384</div><div> PUBKEY_VERIFY:ECDSA-521</div><div> RNG:RNG_STRONG</div><div> RNG:RNG_WEAK</div><div>fips-prf:</div><div> PRF:PRF_FIPS_SHA1_160</div><div> PRF:PRF_KEYED_SHA1</div><div>gmp:</div><div> DH:MODP_2048</div><div> RNG:RNG_STRONG</div><div> DH:MODP_2048_224</div><div> RNG:RNG_STRONG</div><div> DH:MODP_2048_256</div><div> RNG:RNG_STRONG</div><div> DH:MODP_1536</div><div> RNG:RNG_STRONG</div><div> DH:MODP_3072</div><div> RNG:RNG_STRONG</div><div> DH:MODP_4096</div><div> RNG:RNG_STRONG</div><div> DH:MODP_6144</div><div> RNG:RNG_STRONG</div><div> DH:MODP_8192</div><div> RNG:RNG_STRONG</div><div> DH:MODP_1024</div><div> RNG:RNG_STRONG</div><div> DH:MODP_1024_160</div><div> RNG:RNG_STRONG</div><div> DH:MODP_768</div><div> RNG:RNG_STRONG</div><div> DH:MODP_CUSTOM</div><div> RNG:RNG_STRONG</div><div> PRIVKEY:RSA</div><div> PRIVKEY_GEN:RSA</div><div> RNG:RNG_TRUE</div><div> PUBKEY:RSA</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1</div><div> HASHER:HASH_SHA1</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224</div><div> HASHER:HASH_SHA224</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256</div><div> HASHER:HASH_SHA256</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384</div><div> HASHER:HASH_SHA384</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512</div><div> HASHER:HASH_SHA512</div><div> PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5</div><div> HASHER:HASH_MD5</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1</div><div> HASHER:HASH_SHA1</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224</div><div> HASHER:HASH_SHA224</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256</div><div> HASHER:HASH_SHA256</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384</div><div> HASHER:HASH_SHA384</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512</div><div> HASHER:HASH_SHA512</div><div> PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5</div><div> HASHER:HASH_MD5</div><div> PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1</div><div> PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1</div><div> RNG:RNG_WEAK</div><div>agent:</div><div> PRIVKEY:ANY</div><div> PRIVKEY:RSA</div><div> PRIVKEY:ECDSA</div><div>xcbc:</div><div> PRF:PRF_AES128_XCBC</div><div> CRYPTER:AES_CBC-16</div><div> PRF:PRF_CAMELLIA128_XCBC</div><div> CRYPTER:CAMELLIA_CBC-16</div><div> SIGNER:CAMELLIA_XCBC_96</div><div> CRYPTER:CAMELLIA_CBC-16</div><div> SIGNER:AES_XCBC_96</div><div> CRYPTER:AES_CBC-16</div><div>hmac:</div><div> PRF:PRF_HMAC_SHA1</div><div> HASHER:HASH_SHA1</div><div> PRF:PRF_HMAC_MD5</div><div> HASHER:HASH_MD5</div><div> PRF:PRF_HMAC_SHA2_256</div><div> HASHER:HASH_SHA256</div><div> PRF:PRF_HMAC_SHA2_384</div><div> HASHER:HASH_SHA384</div><div> PRF:PRF_HMAC_SHA2_512</div><div> HASHER:HASH_SHA512</div><div> SIGNER:HMAC_SHA1_96</div><div> HASHER:HASH_SHA1</div><div> SIGNER:HMAC_SHA1_128</div><div> HASHER:HASH_SHA1</div><div> SIGNER:HMAC_SHA1_160</div><div> HASHER:HASH_SHA1</div><div> SIGNER:HMAC_MD5_96</div><div> HASHER:HASH_MD5</div><div> SIGNER:HMAC_MD5_128</div><div> HASHER:HASH_MD5</div><div> SIGNER:HMAC_SHA2_256_128</div><div> HASHER:HASH_SHA256</div><div> SIGNER:HMAC_SHA2_256_256</div><div> HASHER:HASH_SHA256</div><div> SIGNER:HMAC_SHA2_384_192</div><div> HASHER:HASH_SHA384</div><div> SIGNER:HMAC_SHA2_384_384</div><div> HASHER:HASH_SHA384</div><div> SIGNER:HMAC_SHA2_512_256</div><div> HASHER:HASH_SHA512</div><div> SIGNER:HMAC_SHA2_512_512</div><div> HASHER:HASH_SHA512</div><div>gcm:</div><div> AEAD:AES_GCM_8-16</div><div> CRYPTER:AES_CBC-16</div><div> AEAD:AES_GCM_8-24</div><div> CRYPTER:AES_CBC-24</div><div> AEAD:AES_GCM_8-32</div><div> CRYPTER:AES_CBC-32</div><div> AEAD:AES_GCM_12-16</div><div> CRYPTER:AES_CBC-16</div><div> AEAD:AES_GCM_12-24</div><div> CRYPTER:AES_CBC-24</div><div> AEAD:AES_GCM_12-32</div><div> CRYPTER:AES_CBC-32</div><div> AEAD:AES_GCM_16-16</div><div> CRYPTER:AES_CBC-16</div><div> AEAD:AES_GCM_16-24</div><div> CRYPTER:AES_CBC-24</div><div> AEAD:AES_GCM_16-32</div><div> CRYPTER:AES_CBC-32</div><div>attr:</div><div> CUSTOM:attr</div><div>kernel-netlink:</div><div> CUSTOM:kernel-ipsec</div><div> CUSTOM:kernel-net</div><div>resolve:</div><div> CUSTOM:resolve</div><div>socket-default:</div><div> CUSTOM:socket</div><div> CUSTOM:kernel-ipsec (soft)</div><div>connmark:</div><div> CUSTOM:connmark</div><div>stroke:</div><div> CUSTOM:stroke</div><div> PRIVKEY:RSA (soft)</div><div> PRIVKEY:ECDSA (soft)</div><div> PRIVKEY:DSA (soft)</div><div> PRIVKEY:BLISS (soft)</div><div> CERT_DECODE:ANY (soft)</div><div> CERT_DECODE:X509 (soft)</div><div> CERT_DECODE:X509_CRL (soft)</div><div> CERT_DECODE:X509_AC (soft)</div><div> CERT_DECODE:TRUSTED_PUBKEY (soft)</div><div>updown:</div><div> CUSTOM:updown</div><div>root@Nachalsys ~ # ip -s xfrm policy</div><div>src <a href="http://172.21.148.0/28">172.21.148.0/28</a> dst <a href="http://192.168.1.0/24">192.168.1.0/24</a> uid 0</div><div> dir fwd action allow index 82 priority 2867 share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft (INF)(bytes), hard (INF)(bytes)</div><div> limit: soft (INF)(packets), hard (INF)(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:03:41 use -</div><div> tmpl src 83.XXX.XXX.XXX dst 192.168.1.44</div><div> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel</div><div> level required share any </div><div> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff</div><div>src <a href="http://172.21.148.0/28">172.21.148.0/28</a> dst <a href="http://192.168.1.0/24">192.168.1.0/24</a> uid 0</div><div> dir in action allow index 72 priority 2867 share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft (INF)(bytes), hard (INF)(bytes)</div><div> limit: soft (INF)(packets), hard (INF)(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:03:41 use -</div><div> tmpl src 83.XXX.XXX.XXX dst 192.168.1.44</div><div> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel</div><div> level required share any </div><div> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff</div><div>src <a href="http://192.168.1.0/24">192.168.1.0/24</a> dst <a href="http://172.21.148.0/28">172.21.148.0/28</a> uid 0</div><div> dir out action allow index 65 priority 2867 share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft (INF)(bytes), hard (INF)(bytes)</div><div> limit: soft (INF)(packets), hard (INF)(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:03:41 use 2017-10-23 10:04:36</div><div> tmpl src 192.168.1.44 dst 83.XXX.XXX.XXX</div><div> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel</div><div> level required share any </div><div> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> uid 0</div><div> socket in action allow index 59 priority 0 share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft 0(bytes), hard 0(bytes)</div><div> limit: soft 0(packets), hard 0(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:00:23 use 2017-10-23 10:03:41</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> uid 0</div><div> socket out action allow index 52 priority 0 share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft 0(bytes), hard 0(bytes)</div><div> limit: soft 0(packets), hard 0(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:00:23 use 2017-10-23 10:08:16</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> uid 0</div><div> socket in action allow index 43 priority 0 share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft 0(bytes), hard 0(bytes)</div><div> limit: soft 0(packets), hard 0(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:00:23 use 2017-10-23 10:03:40</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> uid 0</div><div> socket out action allow index 36 priority 0 share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft 0(bytes), hard 0(bytes)</div><div> limit: soft 0(packets), hard 0(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:00:23 use 2017-10-23 10:03:40</div><div>src ::/0 dst ::/0 uid 0</div><div> socket in action allow index 27 priority 0 share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft 0(bytes), hard 0(bytes)</div><div> limit: soft 0(packets), hard 0(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:00:23 use -</div><div>src ::/0 dst ::/0 uid 0</div><div> socket out action allow index 20 priority 0 share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft 0(bytes), hard 0(bytes)</div><div> limit: soft 0(packets), hard 0(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:00:23 use -</div><div>src ::/0 dst ::/0 uid 0</div><div> socket in action allow index 11 priority 0 share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft 0(bytes), hard 0(bytes)</div><div> limit: soft 0(packets), hard 0(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:00:23 use -</div><div>src ::/0 dst ::/0 uid 0</div><div> socket out action allow index 4 priority 0 share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft 0(bytes), hard 0(bytes)</div><div> limit: soft 0(packets), hard 0(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:00:23 use -</div><div>root@Nachalsys ~ # ip -s xfrm state</div><div>src 192.168.1.44 dst 83.XXX.XXX.XXX</div><div> proto esp spi 0x064d5231(105730609) reqid 1(0x00000001) mode tunnel</div><div> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)</div><div> auth-trunc hmac(sha1) 0x466bf4ff8b0b84b217af306707c4132461055fe4 (160 bits) 96</div><div> enc cbc(aes) 0xe904f2a626428de9ac9c0de6a7fd5ac3573b68cb50a3559a95e2ad6ba78456be (256 bits)</div><div> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div><div> anti-replay context: seq 0x0, oseq 0xf, bitmap 0x00000000</div><div> lifetime config:</div><div> limit: soft (INF)(bytes), hard (INF)(bytes)</div><div> limit: soft (INF)(packets), hard (INF)(packets)</div><div> expire add: soft 2950(sec), hard 3600(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 1140(bytes), 15(packets)</div><div> add 2017-10-23 10:03:41 use 2017-10-23 10:04:02</div><div> stats:</div><div> replay-window 0 replay 0 failed 0</div><div>src 83.XXX.XXX.XXX dst 192.168.1.44</div><div> proto esp spi 0xc86d1e57(3362594391) reqid 1(0x00000001) mode tunnel</div><div> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)</div><div> auth-trunc hmac(sha1) 0x77b5d898a1d67ae85257f02069f4d305fa79c554 (160 bits) 96</div><div> enc cbc(aes) 0x352455d84da909a0b806792889005112c77f8f4d4b344931f989c29422cbf23b (256 bits)</div><div> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div><div> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000</div><div> lifetime config:</div><div> limit: soft (INF)(bytes), hard (INF)(bytes)</div><div> limit: soft (INF)(packets), hard (INF)(packets)</div><div> expire add: soft 2944(sec), hard 3600(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2017-10-23 10:03:41 use -</div><div> stats:</div><div> replay-window 0 replay 0 failed 0</div><div>root@Nachalsys ~ # ip route list table 220</div><div><a href="http://172.21.148.0/28">172.21.148.0/28</a> via 192.168.1.1 dev wlp61s0 proto static src 192.168.1.44 </div><div>root@Nachalsys ~ # iptables -L</div><div>Chain INPUT (policy ACCEPT)</div><div>target prot opt source destination </div><div>f2b-sshd tcp -- anywhere anywhere multiport dports ssh</div><div><br></div><div>Chain FORWARD (policy ACCEPT)</div><div>target prot opt source destination </div><div><br></div><div>Chain OUTPUT (policy ACCEPT)</div><div>target prot opt source destination </div><div><br></div><div>Chain f2b-sshd (1 references)</div><div>target prot opt source destination </div><div>RETURN all -- anywhere anywhere </div><div>root@Nachalsys ~ # iptables-save</div><div># Generated by iptables-save v1.6.0 on Mon Oct 23 10:09:13 2017</div><div>*nat</div><div>:PREROUTING ACCEPT [13:490]</div><div>:INPUT ACCEPT [6:266]</div><div>:OUTPUT ACCEPT [81:5229]</div><div>:POSTROUTING ACCEPT [79:5085]</div><div>-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT</div><div>COMMIT</div><div># Completed on Mon Oct 23 10:09:13 2017</div><div># Generated by iptables-save v1.6.0 on Mon Oct 23 10:09:13 2017</div><div>*filter</div><div>:INPUT ACCEPT [2064:691071]</div><div>:FORWARD ACCEPT [0:0]</div><div>:OUTPUT ACCEPT [2103:365586]</div><div>:f2b-sshd - [0:0]</div><div>-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd</div><div>-A f2b-sshd -j RETURN</div><div>COMMIT</div><div># Completed on Mon Oct 23 10:09:13 2017</div><div>root@Nachalsys ~ # </div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 4, 2017 at 9:09 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" target="_blank">noel.kuntze+strongswan-users-ml@thermi.consulting</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Advise for your problem and corrections for incorrect statements are found in the text, below<br>
the corresponding quoted section from your mail.<br>
<br>
On 04.09.2017 20:20, Charles-Antoine Giuliani wrote:<br>
> I followed the configuration at<br>
> <a href="https://www.strongswan.org/">https://www.strongswan.org/</a><wbr>testing/testresults/ikev1/<wbr>net2net-psk/<br>
> (closest configuration I could find, though the examples seem to have been designed for local networks)<br>
Those are not examples, as the introduction page to the test results says[1][2]. You are not supposed to use those.<br>
There is a dedicated article[3] on the wiki about example configurations. Read the introduction[4] and the article about forwarding[5] first,<br>
then use the configuration for the corresponding scenario (site-to-site scenario). The test scenarios are tests that are run in a virtualized LAN environment<br>
using QEMU, so this obviously does not correspond to a real life deployment. This is also made clear in the warning[2].<br>
<br>
><br>
> However the computer does not manage to connect<br>
><br>
> thyfate@DataLearning-001:~$ sudo ipsec start<br>
> Starting strongSwan 5.1.2 IPsec [starter]...<br>
> charon is already running (/var/run/charon.pid exists) -- skipping daemon start<br>
> starter is already running (/var/run/starter.charon.pid exists) -- no fork done<br>
> thyfate@DataLearning-001:~$ sudo ipsec up ciscoios<br>
> initiating Main Mode IKE_SA ciscoios[3554] to 83.XXX.XXX.XXX<br>
> generating ID_PROT request 0 [ SA V V V V ]<br>
> sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)<br>
> sending retransmit 1 of request message ID 0, seq 1<br>
> sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)<br>
> sending retransmit 2 of request message ID 0, seq 1<br>
> sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)<br>
> sending retransmit 3 of request message ID 0, seq 1<br>
> sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)<br>
> sending retransmit 4 of request message ID 0, seq 1<br>
> sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)<br>
> sending retransmit 5 of request message ID 0, seq 1<br>
> sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes)<br>
> giving up after 5 retransmits<br>
> establishing IKE_SA failed, peer not responding<br>
> establishing connection 'ciscoios' failed<br>
<br>
That obviously does not work, because you are neither supposed to, nor allowed to send IP packets from an IP<br>
address that is not bound to your host. You can work around that, but it is neither the or even a solution to your problem<br>
nor advised to try to do that. At least your home router would drop the packets because of the bogus source. I am very certain<br>
that charon logs a corresponding error message in syslog or the journal, whenever you try to initiate the connection<br>
<br>
The "left" parameter is described as follows in the first paragraph about it on the man page:<br>
> left = <ip address> | <fqdn> | %any | <range> | <subnet><br>
> The IP address of the left participant's public-network interface or one of several magic values. The value %any (the default) for the local endpoint signifies an address<br>
> to be filled in (by automatic keying) during negotiation. If the local peer initiates the connection setup the routing table will be queried to determine the correct local<br>
> IP address. In case the local peer is responding to a connection setup then any IP address that is assigned to a local interface will be accepted.<br>
<br>
As you can read, that parameter is neither appropriate nor needed in your case, because 93.XXX.XXX.XXX is not bound to any local interface. Just don't use "left". Charon is smart<br>
enough to determine the correct source IP by itself, as the man page describes.<br>
<br>
> Below some details on the setup:<br>
><br>
> I am using Ubuntu 14.04. My computer is behind an ISP-provided router box where ports 500 and 4500 have been NAT - forwarded, both on TCP and UDP. My computer external address is 93.XXX.XXX.XXX and the local network the computer is on has ranges 192.168.1.XXX, the specific machine having ip 192.168.1.104. On the other side, a Cisco ASA 5520 is used to create the VPN on an external ip address of 83.XXX.XXX.XXX.<br>
><br>
> Strongswan was installed with the following command line<br>
><br>
> sudo apt-get install strongswan strongswan-plugin-af-alg strongswan-plugin-agent strongswan-plugin-certexpire strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp strongswan-plugin-duplicheck strongswan-plugin-eap-aka strongswan-plugin-eap-aka-<wbr>3gpp2 strongswan-plugin-eap-dynamic strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-peap strongswan-plugin-eap-radius strongswan-plugin-eap-tls strongswan-plugin-eap-ttls strongswan-plugin-error-notify strongswan-plugin-farp strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp strongswan-plugin-ipseckey strongswan-plugin-kernel-<wbr>libipsec strongswan-plugin-ldap strongswan-plugin-led strongswan-plugin-load-tester strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pgp strongswan-plugin-pkcs11 strongswan-plugin-pubkey strongswan-plugin-radattr strongswan-plugin-sshkey strongswan-plugin-systime-fix strongswan-plugin-whitelist strongswan-plugin-xauth-eap<br>
> strongswan-plugin-xauth-<wbr>generic strongswan-plugin-xauth-noauth strongswan-plugin-xauth-pam<br>
<br>
Never do that unless you need the package and know what it does. There are packets that cause very hard problems and obstacles when installed without reason, e.g. "strongswan-plugin-kernel-<wbr>libipsec". Remove that package.<br>
<br>
<br>
> ==============================<wbr>==============================<br>
> /etc/ipsec.conf<br>
> ==============================<wbr>==============================<br>
> # ipsec.conf - strongSwan IPsec configuration file<br>
><br>
> # basic configuration<br>
><br>
> config setup<br>
> # strictcrlpolicy=yes<br>
> # uniqueids = no<br>
><br>
> # Add connections here.<br>
><br>
> # Sample VPN connections<br>
><br>
> #conn sample-self-signed<br>
> # leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a> <<a href="http://10.1.0.0/16">http://10.1.0.0/16</a>><br>
> # leftcert=selfCert.der<br>
> # leftsendcert=never<br>
> # right=192.168.0.2<br>
> # rightsubnet=<a href="http://10.2.0.0/16">10.2.0.0/16</a> <<a href="http://10.2.0.0/16">http://10.2.0.0/16</a>><br>
> # rightcert=peerCert.der<br>
> # auto=start<br>
><br>
> #conn sample-with-ca-cert<br>
> # leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a> <<a href="http://10.1.0.0/16">http://10.1.0.0/16</a>><br>
> # leftcert=myCert.pem<br>
> # right=192.168.0.2<br>
> # rightsubnet=<a href="http://10.2.0.0/16">10.2.0.0/16</a> <<a href="http://10.2.0.0/16">http://10.2.0.0/16</a>><br>
> # rightid="C=CH, O=Linux strongSwan CN=peer name"<br>
> # auto=start<br>
><br>
> conn %default<br>
> ikelifetime=1440m<br>
> keylife=60m<br>
> rekeymargin=3m<br>
> keyingtries=1<br>
> keyexchange=ikev1<br>
> authby=secret<br>
><br>
> conn ciscoios<br>
> left=93.XXX.XXX.XXX #strongswan outside address<br>
> leftsubnet=<a href="http://172.31.17.0/28">172.31.17.0/28</a> <<a href="http://172.31.17.0/28">http://172.31.17.0/28</a>> #network behind strongswan<br>
> leftid=93.XXX.XXX.XXX #IKEID sent by strongswan<br>
> leftfirewall=no<br>
> right=83.XXX.XXX.XXX #IOS outside address<br>
> rightsubnet=<a href="http://172.21.148.0/28">172.21.148.0/28</a> <<a href="http://172.21.148.0/28">http://172.21.148.0/28</a>> #network behind IOS<br>
> rightid=83.XXX.XXX.XXX #IKEID sent by IOS<br>
> auto=add<br>
> ike=aes256-sha-modp1024 #P1: modp1024 = DH group 2<br>
> esp=aes256-sha1 #P2<br>
<br>
DH group 2 is broken[6]. Avoid it.<br>
In any case, use auto=route, don't set "left", "leftfirewall" is superfluous, rightid does not need to be set in your case and try to use PFS. It's basically free and it is good practice to use it.<br>
Remove anything above the "conn ciscoios" section and move "keyexchange=ikev1" into "conn ciscoios". Set "keyingtries=%forever", "leftauth=psk" and "rightauth=psk".<br>
<br>
> thyfate@DataLearning-001:~$ sudo ipsec statusall<br>
> [sudo] password for thyfate: <br>
> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.16.0-77-generic, x86_64):<br>
> uptime: 42 days, since Jul 24 07:41:43 2017<br>
> malloc: sbrk 2904064, mmap 266240, used 581776, free 2322288<br>
> worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 1<br>
> loaded plugins: charon test-vectors curl unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp sshkey ipseckey pem openssl gcrypt af-alg fips-prf gmp xcbc cmac hmac ctr ccm gcm ntru attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-aka-3gpp2 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp whitelist lookip error-notify certexpire led duplicheck radattr addrblock<br>
> Listening IP addresses:<br>
> 192.168.1.104<br>
> Connections:<br>
> ciscoios: 93.XXX.XXX.XXX...83.XXX.XXX.<wbr>XXX IKEv1<br>
> ciscoios: local: [93.XXX.XXX.XXX] uses pre-shared key authentication<br>
> ciscoios: remote: [83.XXX.XXX.XXX] uses pre-shared key authentication<br>
> ciscoios: child: <a href="http://0.0.0.0/0">0.0.0.0/0</a> <<a href="http://0.0.0.0/0">http://0.0.0.0/0</a>> === <a href="http://172.21.148.0/28">172.21.148.0/28</a> <<a href="http://172.21.148.0/28">http://172.21.148.0/28</a>> TUNNEL<br>
<br>
The local TS does not match your configuration (<a href="http://0.0.0.0/0">0.0.0.0/0</a> <=> <a href="http://172.31.17.0/28">172.31.17.0/28</a>). Do not try to use larger traffic selectors than requested by the administrator<br>
of the other peer. Other IKE software does not implement IKEv1 traffic selector narrowing, so this configuration will throw errors, because the subnets are different from the ones configured,<br>
if the remote peer is for example a Cisco or Juniper device.<br>
<br>
> Security Associations (1 up, 0 connecting):<br>
> ciscoios[3554]: CONNECTING, 93.XXX.XXX.XXX[%any]...83.XXX.<wbr>XXX.XXX[%any]<br>
> ciscoios[3554]: IKEv1 SPIs: 1b151f2a679038df_i* 0000000000000000_r<br>
> ciscoios[3554]: Tasks queued: QUICK_MODE <br>
> ciscoios[3554]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD <br>
><br>
<br>
> thyfate@DataLearning-001:~$ sudo iptables-save<br>
> # Generated by iptables-save v1.4.21 on Mon Sep 4 08:39:12 2017<br>
> *nat<br>
> :PREROUTING ACCEPT [14381:2557534]<br>
> :INPUT ACCEPT [14224:2540988]<br>
> :OUTPUT ACCEPT [18294:1425542]<br>
> :POSTROUTING ACCEPT [18294:1425542]<br>
> -A POSTROUTING -s <a href="http://172.31.17.0/28">172.31.17.0/28</a> <<a href="http://172.31.17.0/28">http://172.31.17.0/28</a>> -o eth0 -j MASQUERADE<br>
<br>
That rule will cause problems. Read the article about NAT problems[7] and then apply the rule to fix it.<br>
<br>
> COMMIT<br>
> # Completed on Mon Sep 4 08:39:12 2017<br>
> # Generated by iptables-save v1.4.21 on Mon Sep 4 08:39:12 2017<br>
> *filter<br>
> :INPUT ACCEPT [676542:524740723]<br>
> :FORWARD ACCEPT [0:0]<br>
<br>
The counters are suspiciously low. Check if forwarding is enabled. Fix it appropriately following the article about forwarding[5].<br>
<br>
> :OUTPUT ACCEPT [434134:197554510]<br>
> :fail2ban-ssh - [0:0]<br>
> -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh<br>
> -A fail2ban-ssh -j RETURN<br>
> COMMIT<br>
> # Completed on Mon Sep 4 08:39:12 2017<br>
><br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
[1] <a href="https://wiki.strongswan.org/">https://wiki.strongswan.org/</a><wbr>projects/strongswan/wiki/<wbr>ConfigurationExamples<br>
[2] <a href="https://wiki.strongswan.org/">https://wiki.strongswan.org/</a><wbr>projects/strongswan/wiki/<wbr>ConfigurationExamplesNotes<br>
[3] <a href="https://wiki.strongswan.org/">https://wiki.strongswan.org/</a><wbr>projects/strongswan/wiki/<wbr>UsableExamples<br>
[4] <a href="https://wiki.strongswan.org/">https://wiki.strongswan.org/</a><wbr>projects/strongswan/wiki/<wbr>IntroductionTostrongSwan<br>
[5] <a href="https://wiki.strongswan.org/">https://wiki.strongswan.org/</a><wbr>projects/strongswan/wiki/<wbr>ForwardingAndSplitTunneling<br>
[6] <a href="https://wiki.strongswan.org/">https://wiki.strongswan.org/</a><wbr>projects/strongswan/wiki/<wbr>SecurityRecommendations#Logjam (Read the paragraph titled "LogJam")<br>
[7] <a href="https://wiki.strongswan.org/">https://wiki.strongswan.org/</a><wbr>projects/strongswan/wiki/<wbr>ForwardingAndSplitTunneling#<wbr>General-NAT-problems<br>
<br>
</blockquote></div><br></div></div>