<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>All,</p>
<p>got this sorted in the end</p>
<p>it turned out that even though we were using iptables, firewalld
daemon was running in the background and was intefering :)</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 27/09/2021 11:54, Lewis Robson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:dece4383-6bd4-9544-53a3-5ea0544b5872@conscious.co.uk">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hello all,</p>
<p>still having the same problem with this one.</p>
<p>this morning i set up another site to site from another
external node to make sure that the server im working on can
talk out, the connection set up and worked fine.</p>
<p><br>
</p>
<p>back to the drawing board, using the below config or playing
about with other ones, I cant get users in via android device
even using just EAP authentication, ive just tried the config
from
<a class="moz-txt-link-freetext"
href="https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Roadwarrior-scenario"
moz-do-not-send="true">https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Roadwarrior-scenario</a>
and had no luck.<br>
</p>
<p>has anyone got any links, configs, advice etc on setting up so
that my mobile client can connect in properly?</p>
<p><br>
</p>
<p>thankyou<br>
</p>
<div class="moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Subject:
</th>
<td>[strongSwan] problem with setup for android connecting
in</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date:
</th>
<td>Fri, 24 Sep 2021 16:43:14 +0100</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">From:
</th>
<td>Lewis Robson <a class="moz-txt-link-rfc2396E"
href="mailto:robsonl@conscious.co.uk"
moz-do-not-send="true"><robsonl@conscious.co.uk></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">To: </th>
<td><a class="moz-txt-link-abbreviated"
href="mailto:users@lists.strongswan.org"
moz-do-not-send="true">users@lists.strongswan.org</a>
<a class="moz-txt-link-rfc2396E"
href="mailto:users@lists.strongswan.org"
moz-do-not-send="true"><users@lists.strongswan.org></a></td>
</tr>
</tbody>
</table>
<br>
<br>
Hi all,<br>
<br>
trying to re create our strongswan setup on a new server, we had
a working proof of concept but the old server was scrapped.<br>
We had some files copied for the config that unfortunately arent
working for some reason now.<br>
<br>
also, with charon debug we are not receiving logs for some
reason, nothing in journalctl to help either?<br>
<br>
<br>
the scenario<br>
<br>
server with an external facing IP hosting strongswan (no
firewall currently for testing setup)<br>
<br>
clients connecting in via mobile strongswan with certificate and
EAP so that they can be on the network, the plan is to have it
so that any phone traffic routes through here and any other
traffic doesnt.<br>
<br>
<br>
we have done the local server as the ca for testing, and copied
the ca cert to the phone, however it wont connect, as theres no
logs server side this doesnt help (but a tcpdump when trying to
connect shows:<br>
<br>
isakmp: isakmp: parent_sa ikev2_init[I]<br>
<br>
admin prohibited filter, length 556<br>
<br>
phone logs show: unable to terminate ike_sa, peer not responding<br>
<br>
I<br>
<br>
here is the config file that i named "android working" from the
old server that isnt working now. (there are duplicate entries
of right send cert, should this be never?, aso for the right
auth, what should i be expecting my .secrets file to look like?)<br>
<br>
<br>
config setup<br>
charondebug="ike 1, knl 1, cfg 0"<br>
uniqueids=no<br>
<br>
conn ikev2-vpn<br>
auto=add<br>
compress=no<br>
type=tunnel<br>
keyexchange=ikev2<br>
fragmentation=yes<br>
forceencaps=yes<br>
dpdaction=clear<br>
dpddelay=300s<br>
rekey=no<br>
left=%any<br>
leftid=my-servers-external-ip<br>
leftcert=the-server-cert<br>
leftsendcert=always<br>
leftsubnet=0.0.0.0/0<br>
right=%any<br>
rightid=%any<br>
rightsendcert=always<br>
rightauth=pubkey<br>
authby=pubkey<br>
#rightauth=eap-mschapv2<br>
rightsourceip=10.10.10.0/24<br>
rightdns=8.8.8.8,8.8.4.4<br>
rightsendcert=never<br>
eap_identity=%identity<br>
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!<br>
<br>
any help much appreciated<br>
<br>
thankyou kindly<br>
<br>
<br>
<br>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Lewis Robson
Systems Administrator
Conscious Solutions Limited
Tel: 0117 325 0200
Web: <a class="moz-txt-link-freetext" href="https://www.conscious.co.uk">https://www.conscious.co.uk</a></pre>
</body>
</html>