<div dir="ltr">I've installed strongswan on a new CentOS 7 server following <a href="https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html">https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html</a><div><br></div><div>Connections from Windows 10 and Android are fine. My understanding of all things VPN is very basic.</div><div><br></div><div>Getting the backup CentOS 6 libreswan connected has stumped me, I'm unable to get past "no IKE config found for 10.240.0.2 ...<client_public_ip>"</div><div><br></div><div>I can see entries relating to the client and server certificates looking at "ipsec status" so I think certificates are ok. Experimenting with specific ike and phasealg entries on client hasn't got me anywhere.</div><div><br></div><div>There are no ikev2 mentions in the logs which seems wrong, so many Google results.</div><div><br></div><div>Could someone please point me in the right direction.</div><div><br></div><div>Gordon.</div><div><br></div><div><br></div><div><br></div><div><br></div><div>------------- server messages</div><div><br></div><div><div>Nov 8 10:46:17 buddyi charon: 03[NET] received packet: from <client_public_ip>[500</div><div>] to 10.240.0.2[500]</div><div>Nov 8 10:46:17 buddyi charon: 03[NET] waiting for data on sockets</div><div>Nov 8 10:46:17 buddyi charon: 05[MGR] checkout IKEv1 SA by message with SPIs a3</div><div>0b15eb151113bc_i 0000000000000000_r</div><div>Nov 8 10:46:17 buddyi strongswan: 14[ENC] parsed ID_PROT request 0 [ SA V V V V</div><div> V V ]</div><div>Nov 8 10:46:17 buddyi strongswan: 14[CFG] looking for an ike config for 10.240.</div><div>0.2...<client_public_ip></div><div>Nov 8 10:46:17 buddyi strongswan: 14[IKE] no IKE config found for 10.240.0.2...</div><div><client_public_ip>, sending NO_PROPOSAL_CHOSEN</div><div>Nov 8 10:46:17 buddyi strongswan: 14[ENC] generating INFORMATIONAL_V1 request 1</div><div>476202834 [ N(NO_PROP) ]</div><div><br></div><div><br></div><div>------------ client:/etc/ipsec.conf</div><div><br></div><div><div>version 2.0 # conforms to second version of ipsec.conf specification</div><div><br></div><div># basic configuration</div><div>config setup</div><div> # interfaces="ipsec0=eth1"</div><div> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.100.64/27">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.100.64/27</a></div><div> # Debug-logging controls: "none" for (almost) none, "all" for lots.</div><div> klipsdebug=none</div><div> # klipsdebug=all</div><div> # plutodebug="control parsing"</div><div> # plutodebug=all</div><div> # plutostderrlog=/var/log/pluto.log</div><div> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey</div><div> protostack=netkey</div><div> nat_traversal=yes</div><div> virtual_private=</div><div> oe=off</div><div><br></div><div><br></div><div><br></div><div><br></div><div># trying to connect libreswan here to strongswan on buddy</div><div><br></div><div>conn buddy</div><div> ikelifetime=60m</div><div> keylife=20m</div><div> rekeymargin=3m</div><div> keyingtries=1</div><div><br></div><div> authby=rsasig</div><div> leftcert="gj's VPN Certificate"</div><div> leftsendcert=always</div><div><br></div><div><br></div><div> leftid=%fromcert</div><div> left=%defaultroute</div><div> leftsubnet=<a href="http://10.0.100.0/24">10.0.100.0/24</a></div><div> leftprotoport=17/1701</div><div><br></div><div> # Replace IP address with your VPN server's IP</div><div> right=<server_public_ip></div><div> rightprotoport=17/1701</div><div> auto=add</div><div><br></div><div><br></div><div>#include /etc/ipsec.d/*.conf</div></div><div><br></div><div>---------- server ipsec.conf</div><div><br></div><div><div># ipsec.conf - strongSwan IPsec configuration file</div><div><br></div><div># basic configuration</div><div><br></div><div>config setup</div><div> # strictcrlpolicy=yes</div><div> # uniqueids = no</div><div><br></div><div># Add connections here.</div><div><br></div><div># Sample VPN connections</div><div><br></div><div>#conn sample-self-signed</div><div># leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a></div><div># leftcert=selfCert.der</div><div># leftsendcert=never</div><div># right=192.168.0.2</div><div># rightsubnet=<a href="http://10.2.0.0/16">10.2.0.0/16</a></div><div># rightcert=peerCert.der</div><div># auto=start</div><div><br></div><div>#conn sample-with-ca-cert</div><div># leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a></div><div># leftcert=myCert.pem</div><div># right=192.168.0.2</div><div># rightsubnet=<a href="http://10.2.0.0/16">10.2.0.0/16</a></div><div># rightid="C=CH, O=Linux strongSwan CN=peer name"</div><div># auto=start</div><div><br></div><div># ipsec.conf - strongSwan IPsec configuration file</div><div><br></div><div>config setup</div><div> charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"</div><div><br></div><div>conn %default</div><div> keyexchange=ikev2</div><div> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!</div></div><div><div> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!</div><div><br></div><div><br></div><div> dpdaction=clear</div><div> dpddelay=300s</div><div> rekey=no</div><div><br></div><div><br></div><div> #Server side</div><div> left=%any</div><div> # left=10.240.0.2</div><div> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> leftcert=vpnHostCert.der</div><div> # leftfirewall=yes</div><div><br></div><div><br></div><div> #Client side</div><div> right=%any</div><div> rightdns=8.8.8.8,8.8.4.4</div><div> rightsourceip=<a href="http://10.42.42.0/24">10.42.42.0/24</a></div><div> </div><div>conn IPSec-IKEv2</div><div> keyexchange=ikev2</div><div> auto=add</div><div><br></div><div><br></div><div><div>conn IPSec-IKEv2-EAP</div><div> also="IPSec-IKEv2"</div><div> rightauth=eap-mschapv2</div><div> rightauthby2=pubkey</div><div> rightsendcert=never</div><div> eap_identity=%any</div><div><br></div><div>#conn CiscoIPSec</div><div># keyexchange=ikev1</div><div># forceencaps=yes</div><div># authby=xauthrsasig</div><div># xauth=server</div><div># auto=add</div></div></div><div><br></div><div><br></div><div><br></div>
</div></div>