[strongSwan] shrew -> NAT(linux)-> strongswan = disconnected
sftf
sftf-misc at mail.ru
Fri Jun 25 08:30:20 CEST 2010
I don't figure out: is it my strongswan misconfiguration or something else?
If I disable manual ipsec policy at Shrew client and check "Obtain Topology Automatically"
pluto log
cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===195.162.66.178:4500...195.162.66.179:4500===192.168.255.2/32
I'm trying to make the connection between roadwarrior and the network behind the gateway 195.162.66.178.
And I would like to advertise network 192.168.0.0/24 behind the gateway 195.162.66.178 to roadwarriors.
What should I do?
==========
config setup
plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
charonstart=no
plutostart=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
left=195.162.66.178
leftsubnet=192.168.0.0/24
leftcert=gw.openorgan.ru-cert.pem
keyexchange=ikev1
type=tunnel
pfs=yes
pfsgroup=modp1024
ike=aes256-sha1-modp1024
xauth=server
dpdaction=clear
dpddelay=10
conn rw2
right=%any
rightsourceip=192.168.255.2
rightsubnet=192.168.255.0/24
rightid="C=RU, ST=Tomsk region, O=organ, OU=Central Office, CN=rw2, E=rw2 at openorgan.ru"
auto=add
authby=xauthrsasig
#authby=rsasig
AS> I rather suspect that adding the IPsec policies
AS> 10/06/23 09:38:51 ii : creating IPSEC INBOUND policy
AS> ANY:192.168.0.0/24:* -> ANY:192.168.255.2:*
AS> 10/06/23 09:38:51 DB : policy added ( obj count = 4 )
10/06/23 09:38:51 K>> : send pfkey X_SPDADD UNSPEC message
AS> 10/06/23 09:38:51 K< : recv pfkey X_SPDADD UNSPEC message
AS> 10/06/23 09:38:51 DB : policy found
AS> 10/06/23 09:38:51 ii : creating IPSEC OUTBOUND policy
AS> ANY:192.168.255.2:* -> ANY:192.168.0.0/24:*
AS> 10/06/23 09:38:52 ii : created IPSEC policy route for 192.168.0.0/24
AS> 10/06/23 09:38:52 DB : policy added ( obj count = 5 )
10/06/23 09:38:52 K>> : send pfkey X_SPDADD UNSPEC message
AS> 10/06/23 09:38:52 ii : creating IPSEC INBOUND policy
AS> ANY:195.162.56.224/29:* -> ANY:192.168.255.2:*
AS> 10/06/23 09:38:52 DB : policy added ( obj count = 6 )
10/06/23 09:38:52 K>> : send pfkey X_SPDADD UNSPEC message
AS> 10/06/23 09:38:52 ii : creating IPSEC OUTBOUND policy
AS> ANY:192.168.255.2:* -> ANY:195.162.56.224/29:*
AS> 10/06/23 09:38:52 ii : created IPSEC policy route for 195.162.56.224/29
AS> prevents somehow strongSwan of receiving any further IKE packets
AS> in the NAT case.
More information about the Users
mailing list