[strongSwan] StrongSwan to accept IKE initiated from other end?
Andreas Steffen
andreas.steffen at strongswan.org
Wed Nov 17 21:52:32 CET 2010
Hello Bill,
which socket plugin are you using for charon? (The command
ipsec statusall shows a list of all loaded plugins.)
If both charon and pluto are running you *must* load the
socket-raw plugin and if charon only is running then
you *can* use either the socket-default plugin which binds to
UDP ports 500/4500 or of course keep socket-raw but never
load both together.
Regards
Andreas
On 11/17/2010 08:18 PM, William Greene wrote:
>
> I can't for some reason get StrongSwan to accept an IKE initiated
> connection from the other end. In ipsec.conf I've tried "auto=add" and
> "auto=route" but I can only get the ipsec connection going from the
> StrongSwan end via the command "ipsec up testipsec".
>
> tcpdump on the far end shows that messages are going out, but the
> charon.log shows nothing. When I issue the command "ipsec up testipsec",
> I see isakmp 1.0 and isakmp 2.0 logs on the far end and the charon.log
> show alot of messages and the ipsec connection functions as expected.
>
> Only outgoing ike/ipsec initiated connections works, not incoming. Any
> ideas?
>
> Thanks in advance for any comments or suggestions.
> Bill
>
>
>
> [root at KAP8 etc]# cat ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> # plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> # charonstart=no
> plutostart=no
>
> # Add connections here.
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> mobike=no
> authby=secret
> keyexchange=ikev2
> #ike=aes128-sha1-modp2048,3des-sha1-modp1536
> # gcm256
> #esp=aes256gcm16-modp1024-modp2048!
> # gcm128
> #esp=aes128gcm16-modp1024-modp2048!
> # gmac128
> #ike=aes128-sha256-modp2048!
> #iesp=aes128gmac-modp2048!
> # gmac256
> ike=aes256-sha384-modp2048!
> esp=aes256gmac-modp2048!
>
> conn testipsec
> type=transport
> left=10.168.80.8
> leftprotoport=tcp/%any
> #leftid=kap
> right=10.168.65.1
> rightprotoport=tcp/%any
> #rightid=cep
> auto=add
> [root at KAP8 etc]#
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list