[strongSwan] strongswan client configuration

Alexandre Chapellon a.chapellon at horoa.net
Mon Jun 13 10:50:51 CEST 2011


OK, finally got my policy problem: I didn't new I had to do ipsec 
route... After doing ipsec route I can see my poolicies correctly setup.

Unfortunately it still don't work, I have the following error message on 
the client side:

initiating IKE_SA horoa[1] to 21.12.5.22
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 172.17.2.71[500] to 21.12.5.22[500]
received packet: from 21.12.5.22[500] to 172.17.2.71[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
CERTREQ N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
received cert request for unknown ca with keyid 
87:d2:41:4a:86:d0:c2:1d:5e:23:9b:ed:17:2d:bf:a3:95:f4:30:c6
authentication of 'C=FR, O=customer1, CN=elronde' (myself) with RSA 
signature successful
sending end entity cert "C=FR, O=customer1, CN=elronde"
establishing CHILD_SA horoa
generating IKE_AUTH request 1 [ IDi CERT IDr AUTH CP(ADDR DNS DNS NBNS) 
SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 172.17.2.71[4500] to 21.12.5.22[4500]
received packet: from 21.12.5.22[4500] to 172.17.2.71[4500]
parsed IKE_AUTH response 1 [ IDr AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
no trusted RSA public key found for 'vpn.domain.tld'

Any idea where my config is wrong, or how to further debug it?

Le 12/06/2011 16:50, Alexandre Chapellon a écrit :
> Hello,
>
> I new to strongswan, and not so familiar with ipsec. I want to setup an
> ipsec VPN gateway for site to site and roadwarriors.
> I have installed strongswan on a debian 6 system. I have generated x509
> certificates and rsa keys as described here:
>
> http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>
> On the client side I have installed the strongswan network-manager
> plugin. I can succesfully establish vpn connections and route packet
> from and to the roadwarrior client.
> I'd like to do the same but without using the network-manager gui... and
> here it fails.
> I guess my certs are ok as connections works just fine with gui. Here is
> my ipsec.conf on the rw side:
>
> config setup
>       strictcrlpolicy=no
>       charonstart=yes
>       plutostart=yes
>
> ca horoa
>       cacert=/home/some1/ssl/pki/ca.crt
>
> conn %default
>       ikelifetime=60m
>       keylife=20m
>       rekeymargin=3m
>       keyingtries=1
>       keyexchange=ikev2
>
> conn strongswan
>       left=%defaultroute
>       leftcert=/home/some1/ssl/pki/elronde.crt
>       leftrsasigkey=/home/some1/ssl/pki/elronde.key
>       leftsourceip=%config
>       right=21.12.5.22
>       rightid=vpn.domain.tld
>       rightsubnet=172.20.0.0/23
>       auto=add
>
> when I type sudo ipsec up strongswan, connection seems to come up, but
> routing does not work and looking ip xfrm policy I can see there is
> none. Does any know where is my issue?
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users





More information about the Users mailing list