[strongSwan] StrongSwan to accept IKE initiated from other end?

William Greene wgreene9617 at yahoo.com
Wed Nov 17 21:57:17 CET 2010

Charon and socket-raw.  The SA listed was started from Strongswan to the far 


[root at KAP8 etc]# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.0):
  uptime: 112 minutes, since Nov 17 14:01:20 2010
  malloc: sbrk 253952, mmap 0, used 158000, free 95952
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 5
  loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp 
pem openssl gcrypt fips-prf gmp xcbc hmac gcm attr kernel-netlink resolve 
socket-raw stroke updown 
Listening IP addresses:
   testipsec:   local:  [] uses pre-shared key authentication
   testipsec:   remote: [] uses any authentication
   testipsec:   child:  dynamic[tcp] === dynamic[tcp] 
Security Associations:
   testipsec[3]: ESTABLISHED 12 seconds ago,[]...[]
   testipsec[3]: IKE SPIs: 05aa819c100c902b_i* 50e302f1e37239ad_r, pre-shared 
key reauthentication in 56 minutes
   testipsec[3]: IKE proposal: 
   testipsec{9}:  INSTALLED, TRANSPORT, ESP SPIs: c8a2210e_i e8bef2ae_o
   testipsec{9}:  NULL_AES_GMAC_256, 0 bytes_i, 0 bytes_o, rekeying in 16 
   testipsec{9}:[tcp] ===[tcp] 
[root at KAP8 etc]# 

From: Andreas Steffen <andreas.steffen at strongswan.org>
To: William Greene <wgreene9617 at yahoo.com>
Cc: users at lists.strongswan.org
Sent: Wed, November 17, 2010 3:52:32 PM
Subject: Re: [strongSwan] StrongSwan to accept IKE initiated from other end?

Hello Bill,

which socket plugin are you using for charon? (The command
ipsec statusall shows a list of all loaded plugins.)

If both charon and pluto are running you *must* load the
socket-raw plugin and if charon only is running then
you *can* use either the socket-default plugin which binds to
UDP ports 500/4500 or of course keep socket-raw but never
load both together.



On 11/17/2010 08:18 PM, William Greene wrote:
> I can't for some reason get StrongSwan to accept an IKE initiated
> connection from the other end. In ipsec.conf I've tried "auto=add" and
> "auto=route" but I can only get the ipsec connection going from the
> StrongSwan end via the command "ipsec up testipsec".
> tcpdump on the far end shows that messages are going out, but the
> charon.log shows nothing. When I issue the command "ipsec up testipsec",
> I see isakmp 1.0 and isakmp 2.0 logs on the far end and the charon.log
> show alot of messages and the ipsec connection functions as expected.
> Only outgoing ike/ipsec initiated connections works, not incoming. Any
> ideas?
> Thanks in advance for any comments or suggestions.
> Bill
> [root at KAP8 etc]# cat ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
> # plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> # charonstart=no
> plutostart=no
> # Add connections here.
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> mobike=no
> authby=secret
> keyexchange=ikev2
> #ike=aes128-sha1-modp2048,3des-sha1-modp1536
> # gcm256
> #esp=aes256gcm16-modp1024-modp2048!
> # gcm128
> #esp=aes128gcm16-modp1024-modp2048!
> # gmac128
> #ike=aes128-sha256-modp2048!
> #iesp=aes128gmac-modp2048!
> # gmac256
> ike=aes256-sha384-modp2048!
> esp=aes256gmac-modp2048!
> conn testipsec
> type=transport
> left=
> leftprotoport=tcp/%any
> #leftid=kap
> right=
> rightprotoport=tcp/%any
> #rightid=cep
> auto=add
> [root at KAP8 etc]#

Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101117/5e4b7751/attachment.html>

More information about the Users mailing list