<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Jianjun,</p>
<p> I see at least one issue, "left" config is wrong, instead of</p>
<p> <tt>left=0.0.0.0</tt></p>
<p> you want <br>
</p>
<p> <tt>left=%any</tt></p>
<p>Regards,</p>
<p>Jafar<br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 9/2/19 5:03 PM, Jianjun Shen Shen
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAK2m7M-1My7m2jTn2c9dCp=paAWTJ_79baWAgRx+ejWqnf0hKA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hello,
<div><br>
</div>
<div>I am using strongswan
(U5.3.5/K4.4.0-87-generic) on Ubuntu
(16.04.3 LTS).</div>
<div><br>
</div>
<div>Running "/usr/lib/ipsec/charon
--debug-cfg 4 --debug-ike 4" got the
following log messages:</div>
<div>
<div>00[DMN] Starting IKE charon
daemon (strongSwan 5.3.5, Linux
4.4.0-87-generic, x86_64)</div>
<div>00[CFG] loading ca certificates
from '/etc/ipsec.d/cacerts'</div>
<div>00[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts'</div>
<div>00[CFG] loading ocsp signer
certificates from
'/etc/ipsec.d/ocspcerts'</div>
<div>00[CFG] loading attribute
certificates from
'/etc/ipsec.d/acerts'</div>
<div>00[CFG] loading crls from
'/etc/ipsec.d/crls'</div>
<div>00[CFG] loading secrets from
'/etc/ipsec.secrets'</div>
<div>00[CFG] loaded IKE secret for
0.0.0.0 10.162.19.54</div>
<div>00[CFG] secret:
73:77:6f:72:64:66:69:73:68</div>
<div>00[LIB] loaded plugins: charon
test-vectors aes rc2 sha1 sha2 md4
md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem
fips-prf gmp xcbc hmac attr
kernel-netlink resolve
socket-default stroke updown</div>
<div>00[LIB] dropped capabilities,
running as uid 0, gid 0</div>
<div>00[JOB] spawning 16 worker
threads</div>
<div>05[NET] received packet: from
10.162.19.54[500] to
10.162.19.55[500] (660 bytes)</div>
<div>05[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) ]</div>
<div>05[CFG] looking for an ike config
for 10.162.19.55...10.162.19.54</div>
<div>05[IKE] no IKE config found for
10.162.19.55...10.162.19.54, sending
NO_PROPOSAL_CHOSEN</div>
<div>05[ENC] generating IKE_SA_INIT
response 0 [ N(NO_PROP) ]</div>
<div>05[NET] sending packet: from
10.162.19.55[500] to
10.162.19.54[500] (36 bytes)</div>
<div>05[IKE] IKE_SA (unnamed)[1] state
change: CREATED => DESTROYING</div>
</div>
<div><br>
</div>
<div>And my ipsec.conf is quite simple:</div>
<div>
<div>config setup</div>
<div> uniqueids=yes</div>
<div><br>
</div>
<div>conn %default</div>
<div> keyingtries=%forever</div>
<div> type=transport</div>
<div> keyexchange=ikev2</div>
<div> auto=route</div>
<div>
ike=aes256gcm16-sha256-modp2048</div>
<div> esp=aes256gcm16-modp2048</div>
<div><br>
</div>
<div>conn host54</div>
<div> left=0.0.0.0</div>
<div> right=10.162.19.54</div>
<div> authby=psk</div>
<div> leftprotoport=gre</div>
<div> rightprotoport=gre</div>
</div>
<div><br>
</div>
<div>"ipsec statusall" shows the
following:</div>
<div>
<div>Status of IKE charon daemon
(strongSwan 5.3.5, Linux
4.4.0-87-generic, x86_64):<br>
</div>
<div> uptime: 3 seconds, since Sep 02
22:00:24 2019</div>
<div> malloc: sbrk 1216512, mmap 0,
used 251808, free 964704</div>
<div> worker threads: 11 of 16 idle,
5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0</div>
<div> loaded plugins: charon
test-vectors aes rc2 sha1 sha2 md4
md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem
fips-prf gmp xcbc hmac attr
kernel-netlink resolve
socket-default stroke updown</div>
<div>Listening IP addresses:</div>
<div> 10.162.19.55</div>
<div>
fd01:0:101:2616:20c:29ff:fe2f:26c4</div>
<div> 172.17.0.1</div>
<div> 192.168.0.55</div>
<div>Connections:</div>
<div> host54:
0.0.0.0...10.162.19.54 IKEv2</div>
<div> host54: local: uses
pre-shared key authentication</div>
<div> host54: remote:
[10.162.19.54] uses pre-shared key
authentication</div>
<div> host54: child:
dynamic[gre] === dynamic[gre]
TRANSPORT</div>
<div>Routed Connections:</div>
<div> host54 {1}: ROUTED,
TRANSPORT, reqid 1</div>
<div> host54 {1}: <a
href="http://10.162.19.55/32[gre]"
moz-do-not-send="true">10.162.19.55/32[gre]</a>
=== <a
href="http://10.162.19.54/32[gre]"
moz-do-not-send="true">10.162.19.54/32[gre]</a></div>
<div>Security Associations (0 up, 0
connecting):</div>
<div> none</div>
</div>
<div><br>
</div>
<div>So, I could not see anything wrong.
Could you please help?</div>
<div><br>
</div>
<div>Regards,</div>
<div>Jianjun</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</body>
</html>