[strongSwan] Mixed ikev1/ikev2 rw setup
Russ Cox
russ.cox at e-dba.net
Thu Feb 25 13:36:59 CET 2010
Hi all - I've managed to get a roadwarrior setup working using ikev2 and
x509 certs, which is great for Linux and Windows 7 rw's but I need ikev1
working alongside for XP, Vista and OS X rw's - so far not having much
joy and google isn't throwing up much.
If I change the roadwarrior ipsec.conf 'keyexchange=ikev1" to ikev2 - it
works fine.
Any help would be fantastic, I would love to just get this out the way -
it's been dragging on now ;D
My setup
Strongswan gw
vpngw===nat/router==tinternet===nat/router===rw machine
192.168.0.18 y.y.y.y
Config is below;
RW machine;
================
ted:/etc/ipsec.d# ipsec up nat
002 "nat" #1: initiating Main Mode
104 "nat" #1: STATE_MAIN_I1: initiate
010 "nat" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "nat" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
031 "nat" #1: max number of retransmissions (2) reached STATE_MAIN_I1.
No response (or no acceptable response) to our first IKE message
=================
/var/log/auth.log on VPN GW
=========
Feb 25 12:34:02 lister pluto[16253]: | next event EVENT_REINIT_SECRET in
2400 seconds
Feb 25 12:34:12 lister pluto[16253]: |
Feb 25 12:34:12 lister pluto[16253]: | *received 288 bytes from [RW NAT
IP]:500 on eth0
Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
ignoring Vendor ID payload [strongSwan 4.3.2]
Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
ignoring Vendor ID payload [Cisco-Unity]
Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
received Vendor ID payload [XAUTH]
Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
received Vendor ID payload [Dead Peer Detection]
Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
received Vendor ID payload [RFC 3947]
Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 25 12:34:12 lister pluto[16253]: | preparse_isakmp_policy: peer
requests PUBKEY authentication
Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
initial Main Mode message received on 192.168.0.18:500 but no connection
has been authorized with policy=PUBKEY
Feb 25 12:34:12 lister pluto[16253]: | next event EVENT_REINIT_SECRET in
2390 seconds
Feb 25 12:34:32 lister pluto[16253]: |
=========
VPN GW machine- strongswan 4.3.5 - ipsec.conf
====START=====
config setup
crlcheckinterval=180
strictcrlpolicy=no
nat_traversal=yes
charonstart=yes
plutostart=yes
plutodebug=control
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
left=%any
leftcert=vpngw.mydomain.net-cert.pem
leftid=@vpngw.mydomain.net
leftfirewall=yes
conn nat-ikev2
leftsubnet=0.0.0.0/0
right=%any
keyexchange=ikev2
rightsourceip=192.168.5.0/24
auto=add
conn nat-ikev1
pfs=no
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=192.168.6.0/24
keyexchange=ikev1
auto=add
======END ======
Test roadwarrior machine - debian 4 with strongswan 4.3.2
ipsec.conf
====START====
config setup
crlcheckinterval=180
strictcrlpolicy=no
charonstart=no
plutodebug=control
nat_traversal=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
conn nat
left=%defaultroute
forceencaps=yes
compress=yes
leftsourceip=%config
leftcert=russ.mydomain.net-cert.pem
leftid=russ.cox at mydomain.net
leftauth=pubkey
right=vpngw.mydomain.net
rightid=@vpngw.mydomain.net
rightsubnet=0.0.0.0/24
auto=add
====END====
More information about the Users
mailing list