[strongSwan] StrongSwan to accept IKE initiated from other end?

William Greene wgreene9617 at yahoo.com
Thu Nov 18 15:22:38 CET 2010 


I swapped the plugin socket-raw for socket-default and now the charon daemon 
will accept connections from the far end.

Thanks again for your help,
Bill




________________________________
From: William Greene <wgreene9617 at yahoo.com>
To: Andreas Steffen <andreas.steffen at strongswan.org>
Cc: users at lists.strongswan.org
Sent: Wed, November 17, 2010 3:57:17 PM
Subject: Re: [strongSwan] StrongSwan to accept IKE initiated from other end?




Charon and socket-raw.  The SA listed was started from Strongswan to the far 
end.

Thanks,
Bill

[root at KAP8 etc]# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.0):
  uptime: 112 minutes, since Nov 17 14:01:20 2010
  malloc: sbrk 253952, mmap 0, used 158000, free 95952
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 5
  loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp 
pem openssl gcrypt fips-prf gmp xcbc hmac gcm attr kernel-netlink resolve 
socket-raw stroke updown 
Listening IP  addresses:
  10.168.80.8
  2005:a8::21e:c9ff:feff:124
  2004:a8::21e:c9ff:feff:124
Connections:
   testipsec:  10.168.80.8...10.168.65.1
   testipsec:   local:  [10.168.80.8] uses pre-shared key authentication
   testipsec:   remote: [10.168.65.1] uses any authentication
   testipsec:   child:  dynamic[tcp] === dynamic[tcp] 
Security Associations:
   testipsec[3]: ESTABLISHED 12 seconds ago, 
10.168.80.8[10.168.80.8]...10.168.65.1[10.168.65.1]
   testipsec[3]: IKE SPIs: 05aa819c100c902b_i* 50e302f1e37239ad_r, pre-shared 
key reauthentication in 56 minutes
   testipsec[3]: IKE proposal: 
AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
   testipsec{9}:  INSTALLED,  TRANSPORT, ESP SPIs: c8a2210e_i e8bef2ae_o
   testipsec{9}:  NULL_AES_GMAC_256, 0 bytes_i, 0 bytes_o, rekeying in 16 
minutes
   testipsec{9}:   10.168.80.8/32[tcp] === 10.168.65.1/32[tcp] 
[root at KAP8 etc]# 




________________________________
From: Andreas Steffen <andreas.steffen at strongswan.org>
To: William Greene <wgreene9617 at yahoo.com>
Cc: users at lists.strongswan.org
Sent: Wed, November 17, 2010 3:52:32 PM
Subject: Re: [strongSwan] StrongSwan to accept IKE  initiated from other end?

Hello Bill,

which socket plugin are you using for charon? (The command
ipsec statusall shows a list of all loaded plugins.)

If both charon and pluto are running you *must* load the
socket-raw plugin and if charon only is running then
you *can* use either the socket-default plugin which binds to
UDP ports 500/4500 or of course keep socket-raw but never
load both together.

Regards

Andreas

On 11/17/2010 08:18 PM, William Greene wrote:
>
> I can't for some reason get StrongSwan to accept an IKE initiated
> connection from the other end. In ipsec.conf I've tried "auto=add" and
> "auto=route" but I can only get the ipsec connection going from the
> StrongSwan end via the command "ipsec up testipsec".
>
> tcpdump on the far end shows that messages are going out, but the
> charon.log shows nothing. When I issue the command "ipsec up testipsec",
> I see isakmp  1.0 and isakmp 2.0 logs on the far end and the charon.log
> show alot of messages and the ipsec connection functions as expected.
>
> Only outgoing ike/ipsec initiated connections works, not incoming. Any
> ideas?
>
> Thanks in advance for any comments or suggestions.
> Bill
>
>
>
> [root at KAP8 etc]# cat ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> # plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> # charonstart=no
> plutostart=no
>
> # Add connections here.
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> mobike=no
> authby=secret
> keyexchange=ikev2
>  #ike=aes128-sha1-modp2048,3des-sha1-modp1536
> # gcm256
> #esp=aes256gcm16-modp1024-modp2048!
> # gcm128
> #esp=aes128gcm16-modp1024-modp2048!
> # gmac128
> #ike=aes128-sha256-modp2048!
> #iesp=aes128gmac-modp2048!
> # gmac256
> ike=aes256-sha384-modp2048!
> esp=aes256gmac-modp2048!
>
> conn testipsec
> type=transport
> left=10.168.80.8
> leftprotoport=tcp/%any
> #leftid=kap
> right=10.168.65.1
> rightprotoport=tcp/%any
> #rightid=cep
> auto=add
> [root at KAP8 etc]#

======================================================================
Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                 www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101118/75e27ac2/attachment.html>

More information about the Users mailing list