[strongSwan] StrongSwan to accept IKE initiated from other end?
William Greene
wgreene9617 at yahoo.com
Thu Nov 18 15:22:38 CET 2010
I swapped the plugin socket-raw for socket-default and now the charon daemon
will accept connections from the far end.
Thanks again for your help,
Bill
________________________________
From: William Greene <wgreene9617 at yahoo.com>
To: Andreas Steffen <andreas.steffen at strongswan.org>
Cc: users at lists.strongswan.org
Sent: Wed, November 17, 2010 3:57:17 PM
Subject: Re: [strongSwan] StrongSwan to accept IKE initiated from other end?
Charon and socket-raw. The SA listed was started from Strongswan to the far
end.
Thanks,
Bill
[root at KAP8 etc]# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.0):
uptime: 112 minutes, since Nov 17 14:01:20 2010
malloc: sbrk 253952, mmap 0, used 158000, free 95952
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 5
loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp
pem openssl gcrypt fips-prf gmp xcbc hmac gcm attr kernel-netlink resolve
socket-raw stroke updown
Listening IP addresses:
10.168.80.8
2005:a8::21e:c9ff:feff:124
2004:a8::21e:c9ff:feff:124
Connections:
testipsec: 10.168.80.8...10.168.65.1
testipsec: local: [10.168.80.8] uses pre-shared key authentication
testipsec: remote: [10.168.65.1] uses any authentication
testipsec: child: dynamic[tcp] === dynamic[tcp]
Security Associations:
testipsec[3]: ESTABLISHED 12 seconds ago,
10.168.80.8[10.168.80.8]...10.168.65.1[10.168.65.1]
testipsec[3]: IKE SPIs: 05aa819c100c902b_i* 50e302f1e37239ad_r, pre-shared
key reauthentication in 56 minutes
testipsec[3]: IKE proposal:
AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
testipsec{9}: INSTALLED, TRANSPORT, ESP SPIs: c8a2210e_i e8bef2ae_o
testipsec{9}: NULL_AES_GMAC_256, 0 bytes_i, 0 bytes_o, rekeying in 16
minutes
testipsec{9}: 10.168.80.8/32[tcp] === 10.168.65.1/32[tcp]
[root at KAP8 etc]#
________________________________
From: Andreas Steffen <andreas.steffen at strongswan.org>
To: William Greene <wgreene9617 at yahoo.com>
Cc: users at lists.strongswan.org
Sent: Wed, November 17, 2010 3:52:32 PM
Subject: Re: [strongSwan] StrongSwan to accept IKE initiated from other end?
Hello Bill,
which socket plugin are you using for charon? (The command
ipsec statusall shows a list of all loaded plugins.)
If both charon and pluto are running you *must* load the
socket-raw plugin and if charon only is running then
you *can* use either the socket-default plugin which binds to
UDP ports 500/4500 or of course keep socket-raw but never
load both together.
Regards
Andreas
On 11/17/2010 08:18 PM, William Greene wrote:
>
> I can't for some reason get StrongSwan to accept an IKE initiated
> connection from the other end. In ipsec.conf I've tried "auto=add" and
> "auto=route" but I can only get the ipsec connection going from the
> StrongSwan end via the command "ipsec up testipsec".
>
> tcpdump on the far end shows that messages are going out, but the
> charon.log shows nothing. When I issue the command "ipsec up testipsec",
> I see isakmp 1.0 and isakmp 2.0 logs on the far end and the charon.log
> show alot of messages and the ipsec connection functions as expected.
>
> Only outgoing ike/ipsec initiated connections works, not incoming. Any
> ideas?
>
> Thanks in advance for any comments or suggestions.
> Bill
>
>
>
> [root at KAP8 etc]# cat ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> # plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> # charonstart=no
> plutostart=no
>
> # Add connections here.
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> mobike=no
> authby=secret
> keyexchange=ikev2
> #ike=aes128-sha1-modp2048,3des-sha1-modp1536
> # gcm256
> #esp=aes256gcm16-modp1024-modp2048!
> # gcm128
> #esp=aes128gcm16-modp1024-modp2048!
> # gmac128
> #ike=aes128-sha256-modp2048!
> #iesp=aes128gmac-modp2048!
> # gmac256
> ike=aes256-sha384-modp2048!
> esp=aes256gmac-modp2048!
>
> conn testipsec
> type=transport
> left=10.168.80.8
> leftprotoport=tcp/%any
> #leftid=kap
> right=10.168.65.1
> rightprotoport=tcp/%any
> #rightid=cep
> auto=add
> [root at KAP8 etc]#
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101118/75e27ac2/attachment.html>
More information about the Users
mailing list