[strongSwan] host to host configuration

Dmitry Korzhevin dmitry.korzhevin at stidia.com
Sun Aug 19 12:31:34 CEST 2012


Hello,

I need configure host to host connection (linux to linux).

SERVER SIDE

I have Debian GNU/Linux server with strongSwan 5.0.0 compiled from
source with following configs

ipsec.conf
---------

 config setup
        uniqueids=no
conn ios
        keyexchange=ikev1
        authby=xauthpsk
        xauth=server
        left=SERVERIP
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        right=%any
        rightsubnet=0.0.0.0/0
        rightsourceip=10.2.0.0/24
        auto=add

conn android
        keyexchange=ikev1
        authby=xauthpsk
        xauth=server
        left=SERVERIP
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=10.2.0.0/24
        modeconfig=push
        auto=add

ipsec.secrets
--------------
%any SERVERIP : PSK "mypsk"
 : PSK mypsk



CLIENT SIDE

Client is ArchLinux with strongSwan 5.0.0 compiled from source

ipsec.conf
-----------

conn linux
        leftfirewall=yes
        left=%defaultroute
        right=SERVERIP
        authby=xauthpsk
        auto=add


ipsec.secrets
-------------

%any : PSK mypsk
testuser123 : XAUTH "testpass123"



What i do on client:

ipsec start
ipsec up linux


error log:

/usr/sbin/ipsec: unknown IPsec command `linux' (`ipsec --help' for list)
[root at localhost dkorzhevin]# ipsec up linux
initiating IKE_SA linux[1] to SERVERIP
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 172.21.0.147[500] to SERVERIP[500]
received packet: from SERVERIP[500] to 172.21.0.147[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
no IDi configured, fall back on IP address
authentication of '172.21.0.147' (myself) with pre-shared key
establishing CHILD_SA linux
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ]
sending packet: from 172.21.0.147[4500] to SERVERIP[4500]
received packet: from SERVERIP[4500] to 172.21.0.147[4500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error



log on server side:

Aug 19 12:26:37 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Aug 19 12:26:37 10[NET] sending packet: from SERVERIP[500] to
195.39.196.250[500]
Aug 19 12:26:37 15[NET] received packet: from 195.39.196.250[4500] to
SERVERIP[4500]
Aug 19 12:26:37 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
N(EAP_ONLY) N(AUTH_FOLLOWS) ]
Aug 19 12:26:37 15[CFG] looking for peer configs matching
SERVERIP[SERVERIP]...195.39.196.250[172.21.0.147]
Aug 19 12:26:37 15[CFG] no matching peer config found
Aug 19 12:26:37 15[IKE] peer supports MOBIKE
Aug 19 12:26:37 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 19 12:26:37 15[LIB] enabled  RNG_WEAK[default]: passed 3 test vectors
Aug 19 12:26:37 15[NET] sending packet: from SERVERIP[4500] to
195.39.196.250[4500]


Where i am wrong?


Best Regards,
Dmitry

---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg

e: dmitry.korzhevin at stidia.com
m: +38 093 874 5453
w: http://www.stidia.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4488 bytes
Desc: ���������������������������������� �������������� S/MIME
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120819/5558f6c6/attachment.bin>


More information about the Users mailing list