[strongSwan] L2tp + roadwarrior
Ali Masoudi
masoudi1983 at gmail.com
Sat Dec 22 13:13:52 CET 2012
Hi again
By specifying left/right subnet and id and also by use of ikev2
connections, the problem solved.
On Thu, Dec 13, 2012 at 1:17 PM, Ali Masoudi <masoudi1983 at gmail.com> wrote:
> Hi all
>
> I want to connect to a system which strongswan is running on it. I
> have to use L2TP tunnels and pseudo IPSEC roadwarrior tunnels. I
> should explain that in roadwarrior connections, we know both subnets
> so we can use them instead of not using the field. So here is my
> configuration:
>
> ipsec.conf at 192.168.20.168:
>
> #########################################
> config setup
> uniqueids="no"
> strictcrlpolicy="no"
>
> conn %default
> keyingtries="%forever"
> leftsendcert="always"
>
> include /usr/local/etc/ipsec.l2tp.conf
>
> conn MyTun2
> authby="psk"
> auto="add"
> compress="no"
> keyexchange="ikev1"
> ike="aes256-md5-modp1536!"
> ikelifetime="86400"
> esp="aes256-md5-modp1536!"
> keylife="86400"
> left="192.168.20.168"
> leftid="192.168.20.168"
> leftsubnet="192.168.5.0/24"
> rekeymargin="20"
> right="%any"
> rightid="tarigh-rw-170"
> rightsubnet="192.168.150.0/24"
> type="tunnel"
>
> ipsec.l2tp.conf:
> #######################################
> conn L2TP
> auto="add"
> authby="psk"
> type="tunnel"
> left="192.168.20.168"
> leftprotoport="17/1701"
> right="%any"
> rightprotoport="17/%any"
> rekey="no"
> keyingtries="5"
> #leftfirewall="yes"
> ike="aes256-sha1-modp2048!"
> esp="aes-sha1!"
>
> ////////////////////////////////////////////////////////////////////////////////////////////////////
>
> ipsec.conf at 192.168.20.170 as RW:
> #####################################################
> config setup
> uniqueids="no"
> strictcrlpolicy="no"
>
> conn %default
> keyingtries="%forever"
> leftsendcert="always"
>
> conn MyTun
> authby="psk"
> auto="start"
> compress="no"
> keyexchange="ikev1"
> ike="aes256-md5-modp1536!"
> ikelifetime="86400"
> esp="aes256-md5-modp1536!"
> keylife="86400"
> left="192.168.20.170"
> leftid="tarigh-rw-170"
> leftsubnet="192.168.150.0/24"
> rekeymargin="20"
> right="192.168.20.168"
> rightid="192.168.20.168"
> rightsubnet="192.168.5.0/24"
> type="tunnel"
>
> //////////////////////////////////////////////////////////////////////////////////////////////////////
>
>
> here is some part of the log on 192.168.20.168:
>
> 16:39 14[CFG] <1> looking for an ike config for 192.168.20.168...192.168.20.170
> 16:39 14[CFG] <1> ike config match: 5 (192.168.20.168 192.168.20.170)
> 16:39 14[CFG] <1> candidate: 192.168.20.168...%any, prio 5
> 16:39 14[CFG] <1> ike config match: 5 (192.168.20.168 192.168.20.170)
> 16:39 14[CFG] <1> candidate: 192.168.20.168...%any, prio 5
> 16:39 14[CFG] <1> found matching ike config: 192.168.20.168...%any with prio 5
> 16:39 01[JOB] next event in 29s 999ms, waiting
> 16:39 14[IKE] <1> received XAuth vendor ID
> 16:39 14[IKE] <1> received NAT-T (RFC 3947) vendor ID
> 16:39 14[IKE] <1> received DPD vendor ID
> 16:39 14[IKE] <1> 192.168.20.170 is initiating a Main Mode IKE_SA
> 16:39 14[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> 16:39 14[DMN] <1> PAYA: get_alg_from_ikev1
> 16:39 14[DMN] <1> PAYA: get_alg_from_ikev1
> 16:39 14[DMN] <1> PAYA: get_alg_from_ikev1
> 16:39 14[DMN] <1> PAYA: get_proposals:IKE .
> 16:39 14[CFG] <1> selecting proposal:
> 16:39 14[CFG] <1> no acceptable INTEGRITY_ALGORITHM found
> 16:39 14[CFG] <1> received proposals:
> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
> 16:39 14[CFG] <1> configured proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> 16:39 14[IKE] <1> no proposal found
>
>
> I have some questions and I would be really grateful if any of them
> answered. What is exact method of calculating "prio" for connections.
> in the log above, prio is 5 for both matches.
> In other words, what is the priority of the configs? Which one has
> higher prio? which one has lower?
> Is there any solution for my test scenario?
>
> Thank you so much
> Ali
More information about the Users
mailing list