[strongSwan] Strongswan gateway behind DHCP and NAT, possible?
Matti Huttunen
uutuus at gmail.com
Wed Mar 23 15:52:32 CET 2011
Hello!!
My first post to this list. This is quite long message, and I hope you have
time to look it over. I am trying to make two gateway setup, where another
gateway is behind DHCP and NAT and second one has static public ip without
NAT, no success...
Here's my setup:
private-lan-192.168.1.0/24
|
|
--------------------
eth1-192.168.1.210
public vpn-gw with
static address
Responder
eth0-193.185.215.163
--------------------
|
|
Internet
|
|
--------------------
NAT & DHCP device
--------------------
|
|
--------------------
eth0-private-DHCP-addr
dynamic vpn-gw with
dhcp-address & behind nat
Initiator
eth1-192.168.2.1
--------------------
|
|
private-lan-192.168.2.0/24
Here is configurations for public, static vpn-gateway (waiting connections):
config setup
crlcheckinterval=600
strictcrlpolicy=no
nat_traversal=yes
cachecrls=yes
plutostart=no
plutodebug=none
uniqueids=yes
charondebug="dmn 0, mgr 1, ike 2, chd 0, job 0, cfg 1, knl 2, net 2,
enc 1, lib 0"
conn %default
mobike=no
keyingtries=1
keyexchange=ikev2
ikelifetime=60m
keylife=20m
rekeymargin=3m
pfs=yes
ike=aes256-sha2_512-modp4096,aes256-sha2_512-modp8192
esp=aes256-aesxcbc-modp2048!
conn dynamic-vpn-gw
authby=secret
left=%defaultroute
leftsubnet=0.0.0.0/0
leftid="me at static-vpn-gw"
leftfirewall=yes
right=%any
rightid="me at dynamic-vpn-gw"
rightsubnet=192.168.2.0/24
rightsendcert=never
auto=add
...and here is configurations for dynamic, private vpn-gateway (initiates
the connection):
config setup
crlcheckinterval=600
strictcrlpolicy=no
nat_traversal=yes
cachecrls=yes
plutostart=no
plutodebug=none
uniqueids=yes
charondebug="dmn 0, mgr 1, ike 2, chd 0, job 0, cfg 1, knl 2, net 2,
enc 1, lib 0"
conn %default
mobike=no
keyingtries=1
keyexchange=ikev2
ikelifetime=60m
keylife=20m
rekeymargin=3m
pfs=yes
ike=aes256-sha2_512-modp4096,aes256-sha2_512-modp8192
esp=aes256-aesxcbc-modp2048!
conn static-vpn-gw
authby=psk
left=%defaultroute
leftsubnet=0.0.0.0/0
leftid="me at dynamic-vpn-gw"
leftfirewall=yes
right=193.185.215.163
rightid="me at static-vpn-gw"
rightsubnet=192.168.1.0/24
rightsendcert=never
auto=start
...and both has same strongswan.conf:
# strongswan.conf - strongSwan configuration file
charon {
threads = 16
install_routes=yes
}
It seems that IKE and TUNNEL is established as they should, here is capture
from public vpn:
Mar 23 14:14:34 static-vpn-gw ipsec_starter[11377]: Starting strongSwan
4.5.1 IPsec [starter]...
Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] listening on interfaces:
Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] eth0
Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] 193.185.215.163
Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] fe80::21c:25ff:fed8:f70
Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] eth1
Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] 192.168.1.210
Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] fe80::21b:21ff:fe30:4666
Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading ca certificates from
'/opt/strongswan-4.5.1/etc/ipsec.d/cacerts'
Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading aa certificates from
'/opt/strongswan-4.5.1/etc/ipsec.d/aacerts'
Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading ocsp signer
certificates from '/opt/strongswan-4.5.1/etc/ipsec.d/ocspcerts'
Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading attribute certificates
from '/opt/strongswan-4.5.1/etc/ipsec.d/acerts'
Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading crls from
'/opt/strongswan-4.5.1/etc/ipsec.d/crls'
Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading secrets from
'/opt/strongswan-4.5.1/etc/ipsec.secrets'
Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loaded IKE secret for
me at static-vpn-gw me at dynamic-vpn-gw
Mar 23 14:14:34 static-vpn-gw charon: 09[NET] waiting for data on raw
sockets
Mar 23 14:14:34 static-vpn-gw ipsec_starter[11385]: charon (11386) started
after 40 ms
Mar 23 14:14:34 static-vpn-gw charon: 07[CFG] crl caching to
/opt/strongswan-4.5.1/etc/ipsec.d/crls enabled
Mar 23 14:14:34 static-vpn-gw charon: 12[CFG] received stroke: add
connection 'dynamic-vpn-gw'
Mar 23 14:14:34 static-vpn-gw charon: 12[KNL] getting interface name for
%any
Mar 23 14:14:34 static-vpn-gw charon: 12[KNL] %any is not a local address
Mar 23 14:14:34 static-vpn-gw charon: 12[KNL] getting interface name for
193.185.215.163
Mar 23 14:14:34 static-vpn-gw charon: 12[KNL] 193.185.215.163 is on
interface eth0
Mar 23 14:14:34 static-vpn-gw charon: 12[CFG] added configuration
'dynamic-vpn-gw'
Mar 23 14:14:40 static-vpn-gw charon: 09[NET] received packet: from
193.185.215.146[500] to 193.185.215.163[500]
Mar 23 14:14:40 static-vpn-gw charon: 09[NET] waiting for data on raw
sockets
Mar 23 14:14:40 static-vpn-gw charon: 14[NET] received packet: from
193.185.215.146[500] to 193.185.215.163[500]
Mar 23 14:14:40 static-vpn-gw charon: 14[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 23 14:14:40 static-vpn-gw charon: 14[IKE] 193.185.215.146 is initiating
an IKE_SA
Mar 23 14:14:40 static-vpn-gw charon: 14[IKE] 193.185.215.146 is initiating
an IKE_SA
Mar 23 14:14:40 static-vpn-gw charon: 14[IKE] IKE_SA (unnamed)[1] state
change: CREATED => CONNECTING
Mar 23 14:14:41 static-vpn-gw charon: 14[IKE] remote host is behind NAT
Mar 23 14:14:41 static-vpn-gw charon: 14[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Mar 23 14:14:41 static-vpn-gw charon: 14[NET] sending packet: from
193.185.215.163[500] to 193.185.215.146[500]
Mar 23 14:14:41 static-vpn-gw charon: 08[NET] sending packet: from
193.185.215.163[500] to 193.185.215.146[500]
Mar 23 14:14:41 static-vpn-gw charon: 09[NET] received packet: from
193.185.215.146[4500] to 193.185.215.163[4500]
Mar 23 14:14:41 static-vpn-gw charon: 15[NET] received packet: from
193.185.215.146[4500] to 193.185.215.163[4500]
Mar 23 14:14:41 static-vpn-gw charon: 09[NET] waiting for data on raw
sockets
Mar 23 14:14:41 static-vpn-gw charon: 15[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Mar 23 14:14:41 static-vpn-gw charon: 15[CFG] looking for peer configs
matching 193.185.215.163[me at static-vpn-gw
]...193.185.215.146[me at dynamic-vpn-gw]
Mar 23 14:14:41 static-vpn-gw charon: 15[CFG] selected peer config
'dynamic-vpn-gw'
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] authentication of
'me at dynamic-vpn-gw' with pre-shared key successful
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] authentication of
'me at static-vpn-gw' (myself) with pre-shared key
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] successfully created shared
key MAC
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] IKE_SA dynamic-vpn-gw[1]
established between 193.185.215.163[me at static-vpn-gw
]...193.185.215.146[me at dynamic-vpn-gw]
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] IKE_SA dynamic-vpn-gw[1]
established between 193.185.215.163[me at static-vpn-gw
]...193.185.215.146[me at dynamic-vpn-gw]
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] IKE_SA dynamic-vpn-gw[1] state
change: CONNECTING => ESTABLISHED
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] scheduling reauthentication in
3247s
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] maximum IKE_SA lifetime 3427s
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting SPI for reqid {1}
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] got SPI ceed53f3 for reqid {1}
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] adding SAD entry with SPI
ceed53f3 and reqid {1}
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] using encryption algorithm
AES_CBC with key size 256
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] using integrity algorithm
AES_XCBC_96 with key size 128
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] adding SAD entry with SPI
cf06ca01 and reqid {1}
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] using encryption algorithm
AES_CBC with key size 256
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] using integrity algorithm
AES_XCBC_96 with key size 128
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] adding policy 192.168.1.0/24===
192.168.2.0/24 out
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] adding policy 192.168.2.0/24===
192.168.1.0/24 in
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] adding policy 192.168.2.0/24===
192.168.1.0/24 fwd
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting a local address in
traffic selector 192.168.1.0/24
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] using host 192.168.1.210
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting address to reach
193.185.215.146
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting interface name for
193.185.215.163
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] 193.185.215.163 is on
interface eth0
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] installing route:
192.168.2.0/24 via 193.185.215.161 src 192.168.1.210 dev eth0
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting iface index for eth0
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] CHILD_SA dynamic-vpn-gw{1}
established with SPIs ceed53f3_i cf06ca01_o and TS 192.168.1.0/24 ===
192.168.2.0/24
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] CHILD_SA dynamic-vpn-gw{1}
established with SPIs ceed53f3_i cf06ca01_o and TS 192.168.1.0/24 ===
192.168.2.0/24
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting interface name for
193.185.215.163
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] 193.185.215.163 is on
interface eth0
Mar 23 14:14:41 static-vpn-gw vpn: + me at dynamic-vpn-gw 192.168.2.0/24 ==
193.185.215.146 -- 193.185.215.163 == 192.168.1.0/24
Mar 23 14:14:41 static-vpn-gw charon: 15[ENC] generating IKE_AUTH response 1
[ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Mar 23 14:14:41 static-vpn-gw charon: 15[NET] sending packet: from
193.185.215.163[4500] to 193.185.215.146[4500]
Mar 23 14:14:41 static-vpn-gw charon: 08[NET] sending packet: from
193.185.215.163[4500] to 193.185.215.146[4500]
Mar 23 14:16:19 static-vpn-gw charon: 02[KNL] querying SAD entry with SPI
ceed53f3
Mar 23 14:16:19 static-vpn-gw charon: 02[KNL] querying SAD entry with SPI
cf06ca01
Mar 23 14:20:02 static-vpn-gw charon: 09[NET] received packet: from
193.185.215.146[4500] to 193.185.215.163[4500]
Mar 23 14:20:02 static-vpn-gw charon: 01[NET] received packet: from
193.185.215.146[4500] to 193.185.215.163[4500]
Mar 23 14:20:02 static-vpn-gw charon: 09[NET] waiting for data on raw
sockets
...and here is same dump from dynamic, private gateway (which initiates the
connection):
Mar 23 14:14:59 dynamic-vpn-gw ipsec_starter[6072]: Starting strongSwan
4.5.1 IPsec [starter]...
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] listening on interfaces:
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] eth0
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] 192.168.171.219
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] fe80::21c:25ff:fed8:6180
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] eth1
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] 192.168.2.1
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading ca certificates from
'/opt/strongswan-4.5.1/etc/ipsec.d/cacerts'
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading aa certificates from
'/opt/strongswan-4.5.1/etc/ipsec.d/aacerts'
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading ocsp signer
certificates from '/opt/strongswan-4.5.1/etc/ipsec.d/ocspcerts'
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading attribute
certificates from '/opt/strongswan-4.5.1/etc/ipsec.d/acerts'
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading crls from
'/opt/strongswan-4.5.1/etc/ipsec.d/crls'
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading secrets from
'/opt/strongswan-4.5.1/etc/ipsec.secrets'
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loaded IKE secret for
me at dynamic-vpn-gw me at static-vpn-gw
Mar 23 14:14:59 dynamic-vpn-gw charon: 09[NET] waiting for data on raw
sockets
Mar 23 14:14:59 dynamic-vpn-gw ipsec_starter[6080]: charon (6081) started
after 40 ms
Mar 23 14:14:59 dynamic-vpn-gw charon: 07[CFG] crl caching to
/opt/strongswan-4.5.1/etc/ipsec.d/crls enabled
Mar 23 14:14:59 dynamic-vpn-gw charon: 12[CFG] received stroke: add
connection 'static-vpn-gw'
Mar 23 14:14:59 dynamic-vpn-gw charon: 12[KNL] getting interface name for
193.185.215.163
Mar 23 14:14:59 dynamic-vpn-gw charon: 12[KNL] 193.185.215.163 is not a
local address
Mar 23 14:14:59 dynamic-vpn-gw charon: 12[KNL] getting interface name for
192.168.171.219
Mar 23 14:14:59 dynamic-vpn-gw charon: 12[KNL] 192.168.171.219 is on
interface eth0
Mar 23 14:14:59 dynamic-vpn-gw charon: 12[CFG] added configuration
'static-vpn-gw'
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[CFG] received stroke: initiate
'static-vpn-gw'
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_VENDOR task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_INIT task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_NATD task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_CERT_PRE task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_AUTHENTICATE
task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_CERT_POST task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_CONFIG task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_AUTH_LIFETIME
task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing CHILD_CREATE task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating new tasks
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_VENDOR task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_INIT task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_NATD task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_CERT_PRE
task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_AUTHENTICATE
task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_CERT_POST
task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_CONFIG task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating CHILD_CREATE
task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating
IKE_AUTH_LIFETIME task
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] initiating IKE_SA
static-vpn-gw[1] to 193.185.215.163
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] initiating IKE_SA
static-vpn-gw[1] to 193.185.215.163
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] IKE_SA static-vpn-gw[1] state
change: CREATED => CONNECTING
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[NET] sending packet: from
192.168.171.219[500] to 193.185.215.163[500]
Mar 23 14:14:59 dynamic-vpn-gw charon: 08[NET] sending packet: from
192.168.171.219[500] to 193.185.215.163[500]
Mar 23 14:15:00 dynamic-vpn-gw charon: 09[NET] received packet: from
193.185.215.163[500] to 192.168.171.219[500]
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[NET] received packet: from
193.185.215.163[500] to 192.168.171.219[500]
Mar 23 14:15:00 dynamic-vpn-gw charon: 09[NET] waiting for data on raw
sockets
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[ENC] parsed IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] local host is behind NAT,
sending keep alives
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] reinitiating already active
tasks
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] IKE_CERT_PRE task
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] IKE_AUTHENTICATE task
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] authentication of
'me at dynamic-vpn-gw' (myself) with pre-shared key
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] successfully created shared
key MAC
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] establishing CHILD_SA
static-vpn-gw
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] establishing CHILD_SA
static-vpn-gw
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[KNL] getting SPI for reqid {1}
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[KNL] got SPI cf06ca01 for reqid
{1}
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[ENC] generating IKE_AUTH request 1
[ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[NET] sending packet: from
192.168.171.219[4500] to 193.185.215.163[4500]
Mar 23 14:15:00 dynamic-vpn-gw charon: 08[NET] sending packet: from
192.168.171.219[4500] to 193.185.215.163[4500]
Mar 23 14:15:00 dynamic-vpn-gw charon: 09[NET] received packet: from
193.185.215.163[4500] to 192.168.171.219[4500]
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[NET] received packet: from
193.185.215.163[4500] to 192.168.171.219[4500]
Mar 23 14:15:00 dynamic-vpn-gw charon: 09[NET] waiting for data on raw
sockets
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[ENC] parsed IKE_AUTH response 1 [
IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] authentication of
'me at static-vpn-gw' with pre-shared key successful
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] IKE_SA static-vpn-gw[1]
established between 192.168.171.219[me at dynamic-vpn-gw
]...193.185.215.163[me at static-vpn-gw]
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] IKE_SA static-vpn-gw[1]
established between 192.168.171.219[me at dynamic-vpn-gw
]...193.185.215.163[me at static-vpn-gw]
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] IKE_SA static-vpn-gw[1] state
change: CONNECTING => ESTABLISHED
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] scheduling reauthentication
in 3332s
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] maximum IKE_SA lifetime 3512s
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] adding SAD entry with SPI
cf06ca01 and reqid {1}
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] using encryption algorithm
AES_CBC with key size 256
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] using integrity algorithm
AES_XCBC_96 with key size 128
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] adding SAD entry with SPI
ceed53f3 and reqid {1}
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] using encryption algorithm
AES_CBC with key size 256
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] using integrity algorithm
AES_XCBC_96 with key size 128
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] adding policy 192.168.2.0/24===
192.168.1.0/24 out
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] adding policy 192.168.1.0/24===
192.168.2.0/24 in
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] adding policy 192.168.1.0/24===
192.168.2.0/24 fwd
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] getting a local address in
traffic selector 192.168.2.0/24
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] using host 192.168.2.1
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] getting address to reach
193.185.215.163
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] getting interface name for
192.168.171.219
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] 192.168.171.219 is on
interface eth0
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] installing route:
192.168.1.0/24 via 192.168.171.1 src 192.168.2.1 dev eth0
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] getting iface index for eth0
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] CHILD_SA static-vpn-gw{1}
established with SPIs cf06ca01_i ceed53f3_o and TS 192.168.2.0/24 ===
192.168.1.0/24
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] CHILD_SA static-vpn-gw{1}
established with SPIs cf06ca01_i ceed53f3_o and TS 192.168.2.0/24 ===
192.168.1.0/24
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] getting interface name for
192.168.171.219
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] 192.168.171.219 is on
interface eth0
Mar 23 14:15:00 dynamic-vpn-gw vpn: + me at static-vpn-gw 192.168.1.0/24 ==
193.185.215.163 -- 192.168.171.219 == 192.168.2.0/24
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] received AUTH_LIFETIME of
3247s, scheduling reauthentication in 3067s
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] activating new tasks
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] nothing to initiate
Mar 23 14:15:10 dynamic-vpn-gw charon: 11[KNL] querying SAD entry with SPI
cf06ca01
Mar 23 14:15:10 dynamic-vpn-gw charon: 11[KNL] querying SAD entry with SPI
ceed53f3
Mar 23 14:15:19 dynamic-vpn-gw charon: 07[KNL] querying SAD entry with SPI
ceed53f3
Mar 23 14:15:24 dynamic-vpn-gw charon: 13[KNL] querying SAD entry with SPI
ceed53f3
Mar 23 14:15:24 dynamic-vpn-gw charon: 13[IKE] sending keep alive
Mar 23 14:15:24 dynamic-vpn-gw charon: 13[NET] sending packet: from
192.168.171.219[4500] to 193.185.215.163[4500]
Mar 23 14:15:24 dynamic-vpn-gw charon: 08[NET] sending packet: from
192.168.171.219[4500] to 193.185.215.163[4500]
Mar 23 14:15:44 dynamic-vpn-gw charon: 12[KNL] querying SAD entry with SPI
ceed53f3
Mar 23 14:15:44 dynamic-vpn-gw charon: 12[IKE] sending keep alive
Mar 23 14:15:44 dynamic-vpn-gw charon: 12[NET] sending packet: from
192.168.171.219[4500] to 193.185.215.163[4500]
Mar 23 14:15:44 dynamic-vpn-gw charon: 08[NET] sending packet: from
192.168.171.219[4500] to 193.185.215.163[4500]
Mar 23 14:16:04 dynamic-vpn-gw charon: 14[KNL] querying SAD entry with SPI
ceed53f3
And here is "ipsec statusall" from public, static gateway:
[root at static-vpn-gw etc]# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.1):
uptime: 105 seconds, since Mar 23 14:14:34 2011
malloc: sbrk 270336, mmap 0, used 221392, free 48944
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: aes des blowfish sha1 sha2 md5 random x509 revocation
constraints pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac attr
kernel-netlink resolve socket-raw stroke updown
Listening IP addresses:
193.185.215.163
192.168.1.210
Connections:
dynamic-vpn-gw: 193.185.215.163...%any
dynamic-vpn-gw: local: [me at static-vpn-gw] uses pre-shared key
authentication
dynamic-vpn-gw: remote: [me at dynamic-vpn-gw] uses any authentication
dynamic-vpn-gw: child: 0.0.0.0/0 === 192.168.2.0/24
Security Associations:
dynamic-vpn-gw[1]: ESTABLISHED 98 seconds ago,
193.185.215.163[me at static-vpn-gw]...193.185.215.146[me at dynamic-vpn-gw]
dynamic-vpn-gw[1]: IKE SPIs: 51a18d63de518894_i a2a7b5aee6c554b5_r*,
pre-shared key reauthentication in 52 minutes
dynamic-vpn-gw[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096
dynamic-vpn-gw{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ceed53f3_i
cf06ca01_o
dynamic-vpn-gw{1}: AES_CBC_256/AES_XCBC_96, 0 bytes_i, 0 bytes_o, rekeying
in 13 minutes
dynamic-vpn-gw{1}: 192.168.1.0/24 === 192.168.2.0/24
No leaks detected, 1 suppressed by whitelist
...and same from private, dynamic gateway:
[root at dynamic-vpn-gw log]# ipsec
statusall
Status of IKEv2 charon daemon (strongSwan
4.5.1):
uptime: 11 seconds, since Mar 23 14:14:59
2011
malloc: sbrk 270336, mmap 0, used 208352, free
61984
worker threads: 9 idle of 16, job queue load: 0, scheduled events:
4
loaded plugins: aes des blowfish sha1 sha2 md5 random x509 revocation
constraints pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac attr
kernel-netlink resolve socket-raw stroke updown
Listening IP
addresses:
192.168.171.219
192.168.2.1
Connections:
static-vpn-gw:
192.168.171.219...193.185.215.163
static-vpn-gw: local: [me at dynamic-vpn-gw] uses pre-shared key
authentication
static-vpn-gw: remote: [me at static-vpn-gw] uses any
authentication
static-vpn-gw: child: 0.0.0.0/0 === 192.168.1.0/24
Security
Associations:
static-vpn-gw[1]: ESTABLISHED 10 seconds ago,
192.168.171.219[me at dynamic-vpn-gw]...193.185.215.163[me at static-vpn-gw]
static-vpn-gw[1]: IKE SPIs: 51a18d63de518894_i* a2a7b5aee6c554b5_r,
pre-shared key reauthentication in 50
minutes
static-vpn-gw[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096
static-vpn-gw{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cf06ca01_i
ceed53f3_o
static-vpn-gw{1}: AES_CBC_256/AES_XCBC_96, 0 bytes_i, 0 bytes_o, rekeying
in 16
minutes
static-vpn-gw{1}: 192.168.2.0/24 === 192.168.1.0/24
No leaks detected, 1 suppressed by whitelist
...and nothing works :) I can not ping from public to private, or from
private to public, firewall rulebase(s) allows any icmp from any source.
Here is ip route output:
[root at static-vpn-gw etc]# ip route show table 220
192.168.2.0/24 via 193.185.215.161 dev eth0 proto static src 192.168.1.210
[iddqd at dynamic-vpn-gw Desktop]$ ip route show table
220
192.168.1.0/24 via 192.168.171.1 dev eth0 proto static src 192.168.2.1
Any ideas? Is it even possible to setup lan--to--lan gateways where another
one is behind DHCP and NAT using pre shared keys???
Best Regards,
Matti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110323/54e8decc/attachment.html>
More information about the Users
mailing list