[strongSwan] L2tp + roadwarrior

Ali Masoudi masoudi1983 at gmail.com
Thu Dec 13 10:47:51 CET 2012


Hi all

I want to connect to a system which strongswan is running on it. I
have to use L2TP tunnels and pseudo IPSEC roadwarrior tunnels. I
should explain that in roadwarrior connections, we know both subnets
so we can use them instead of not using the field. So here is my
configuration:

ipsec.conf at 192.168.20.168:

#########################################
config setup
        uniqueids="no"
        strictcrlpolicy="no"

conn %default
        keyingtries="%forever"
        leftsendcert="always"

include /usr/local/etc/ipsec.l2tp.conf

conn MyTun2
       authby="psk"
       auto="add"
       compress="no"
       keyexchange="ikev1"
       ike="aes256-md5-modp1536!"
       ikelifetime="86400"
       esp="aes256-md5-modp1536!"
       keylife="86400"
       left="192.168.20.168"
       leftid="192.168.20.168"
       leftsubnet="192.168.5.0/24"
       rekeymargin="20"
       right="%any"
       rightid="tarigh-rw-170"
       rightsubnet="192.168.150.0/24"
       type="tunnel"

ipsec.l2tp.conf:
#######################################
conn L2TP
        auto="add"
        authby="psk"
        type="tunnel"
        left="192.168.20.168"
        leftprotoport="17/1701"
        right="%any"
        rightprotoport="17/%any"
        rekey="no"
        keyingtries="5"
        #leftfirewall="yes"
        ike="aes256-sha1-modp2048!"
        esp="aes-sha1!"

////////////////////////////////////////////////////////////////////////////////////////////////////

ipsec.conf at 192.168.20.170 as RW:
#####################################################
config setup
        uniqueids="no"
        strictcrlpolicy="no"

conn %default
        keyingtries="%forever"
        leftsendcert="always"

conn MyTun
       authby="psk"
       auto="start"
       compress="no"
       keyexchange="ikev1"
       ike="aes256-md5-modp1536!"
       ikelifetime="86400"
       esp="aes256-md5-modp1536!"
       keylife="86400"
       left="192.168.20.170"
       leftid="tarigh-rw-170"
       leftsubnet="192.168.150.0/24"
       rekeymargin="20"
       right="192.168.20.168"
       rightid="192.168.20.168"
       rightsubnet="192.168.5.0/24"
       type="tunnel"

//////////////////////////////////////////////////////////////////////////////////////////////////////


here is some part of the log on 192.168.20.168:

16:39 14[CFG] <1> looking for an ike config for 192.168.20.168...192.168.20.170
16:39 14[CFG] <1> ike config match: 5 (192.168.20.168 192.168.20.170)
16:39 14[CFG] <1>   candidate: 192.168.20.168...%any, prio 5
16:39 14[CFG] <1> ike config match: 5 (192.168.20.168 192.168.20.170)
16:39 14[CFG] <1>   candidate: 192.168.20.168...%any, prio 5
16:39 14[CFG] <1> found matching ike config: 192.168.20.168...%any with prio 5
16:39 01[JOB] next event in 29s 999ms, waiting
16:39 14[IKE] <1> received XAuth vendor ID
16:39 14[IKE] <1> received NAT-T (RFC 3947) vendor ID
16:39 14[IKE] <1> received DPD vendor ID
16:39 14[IKE] <1> 192.168.20.170 is initiating a Main Mode IKE_SA
16:39 14[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
16:39 14[DMN] <1> PAYA: get_alg_from_ikev1
16:39 14[DMN] <1> PAYA: get_alg_from_ikev1
16:39 14[DMN] <1> PAYA: get_alg_from_ikev1
16:39 14[DMN] <1> PAYA: get_proposals:IKE .
16:39 14[CFG] <1> selecting proposal:
16:39 14[CFG] <1>   no acceptable INTEGRITY_ALGORITHM found
16:39 14[CFG] <1> received proposals:
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
16:39 14[CFG] <1> configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
16:39 14[IKE] <1> no proposal found


I have some questions and I would be really grateful if any  of them
answered. What is exact method of calculating "prio" for connections.
in the log above, prio is 5 for both matches.
In other words, what is the priority of the configs? Which one has
higher prio? which one has lower?
Is there any solution for my test scenario?

Thank you so much
Ali




More information about the Users mailing list