[strongSwan] StrongSwan to accept IKE initiated from other end?
William Greene
wgreene9617 at yahoo.com
Wed Nov 17 20:18:03 CET 2010
I can't for some reason get StrongSwan to accept an IKE initiated connection
from the other end. In ipsec.conf I've tried "auto=add" and "auto=route" but I
can only get the ipsec connection going from the StrongSwan end via the command
"ipsec up testipsec".
tcpdump on the far end shows that messages are going out, but the charon.log
shows nothing. When I issue the command "ipsec up testipsec", I see isakmp 1.0
and isakmp 2.0 logs on the far end and the charon.log show alot of messages and
the ipsec connection functions as expected.
Only outgoing ike/ipsec initiated connections works, not incoming. Any ideas?
Thanks in advance for any comments or suggestions.
Bill
[root at KAP8 etc]# cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
plutostart=no
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
mobike=no
authby=secret
keyexchange=ikev2
#ike=aes128-sha1-modp2048,3des-sha1-modp1536
# gcm256
#esp=aes256gcm16-modp1024-modp2048!
# gcm128
#esp=aes128gcm16-modp1024-modp2048!
# gmac128
#ike=aes128-sha256-modp2048!
#iesp=aes128gmac-modp2048!
# gmac256
ike=aes256-sha384-modp2048!
esp=aes256gmac-modp2048!
conn testipsec
type=transport
left=10.168.80.8
leftprotoport=tcp/%any
#leftid=kap
right=10.168.65.1
rightprotoport=tcp/%any
#rightid=cep
auto=add
[root at KAP8 etc]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101117/a55ab489/attachment.html>
More information about the Users
mailing list