[strongSwan] Help with Strongswan configuration (Virtual-IP, Subnet, DNS, ...) needed

Markus Mazurczak markus at markus-mazurczak.de
Sat Dec 22 17:01:55 CET 2012 

Hi all,

I am trying to configure strongswan since 2 weeks now and I am not able 
to get a working connection.

I hope that someone can help me.

What I try to do:

I want to connect into the intranet of the company I am working for 
using my Laptop. We have an NCP Secure Communications gateway Server 
installed which uses a PSK and XAuth for authentication and authorization.
That gateway offeres a new IP address (Virtual-IP) and 2 DNS Servers.

I use Strongswan 5.0.1 at Archlinux.

Until now I managed to get a working connection. This means, that I can 
build up the IPSec tunnel.

This is my actual configuration (IP's are not the correct ones ;)).

strongswan.conf
------------------------
# strongswan.conf - strongSwan configuration file

charon {
     # number of worker threads in charon
     threads = 16
     #port_nat_t = 4500
     #load = aes des sha1 sha2 md5 gmp random nonce hmac stroke 
kernel-netlink socket-default updown resolv request_virtual_ip
}

pluto {

}

libstrongswan {

     #  set to no, the DH exponent size is optimized
     #  dh_exponent_ansi_x9_42 = no
}

ipsec.conf:
---------------
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
     charondebug="dmn 4, mgr 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl 
4, net 4, asn 4, enc 4, lib 4, esp 4, tls 4, tnc 4, imc 4, imv 4, pts 4"

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev1
     aggressive=no
     compress=no
     esp=aes256-sha256--modp1024
     ike=aes256-sha256--modp1024
     installpolicy=yes
     type=tunnel
     leftikeport=4500
     rightikeport=4500
     mobike=yes

conn home
     left=%any
     leftsourceip=%config
     leftfirewall=no
     leftauth=psk
     leftauth2=xauth
     right=195.1.2.3
     rightsubnet=0.0.0.0/0
     rightauth=psk
     rightid=%any
     xauth_identity=myUsername
     auto=add

ipsec.secrets:
------------------
: PSK "PreSharedKey"
: XAUTH "MyPassword"


195.1.2.3 is the IP of the public interface of our VPN gateway. By now I 
want to tunnel all my traffic. Thats why I configured rightsubnet=0.0.0.0/0.

Here is the topology of what I am trying:

I am using an Notebook with an IP of 192.168.2.101 and I am behind a 
router which has the IP 192.168.2.1. I want to build up a tunnel to the 
Gateway 195.1.2.3, the gateway offers me an IP address always from the 
pool 10.20.223.0/24 and from that point I think all my traffic should go 
through the tunnel to the gateway 195.1.2.3 with an source IP of 
10.20.223.0/24.

If I start building the tunnel i see the following output:

root at hoare: ~$>ipsec up home
initiating Main Mode IKE_SA home[1] to 195.1.2.3
generating ID_PROT request 0 [ SA V V V ]
sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
parsed ID_PROT response 0 [ SA V V V V V V ]
received XAuth vendor ID
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received unknown vendor ID: 
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:c0:00:00:00
received Cisco Unity vendor ID
received unknown vendor ID: c6:f5:7a:c3:98:f4:93:20:81:45:b7:58:1e:87:89:83
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
parsed TRANSACTION request 1390831875 [ HASH CP ]
generating TRANSACTION response 1390831875 [ HASH CP ]
sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
parsed TRANSACTION request 4028851316 [ HASH CP ]
XAuth authentication of 'myUsername' (myself) successful
IKE_SA home[1] established between 
192.168.2.101[192.168.2.101]...195.1.2.3[10.20.223.136]
scheduling reauthentication in 3322s
maximum IKE_SA lifetime 3502s
generating TRANSACTION response 4028851316 [ HASH CP ]
sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
generating TRANSACTION request 887603534 [ HASH CP ]
sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
parsed TRANSACTION response 887603534 [ HASH CP ]
installing DNS server 10.20.100.21 to /etc/resolv.conf
installing DNS server 10.20.151.21 to /etc/resolv.conf
installing new virtual IP 10.20.223.225
generating QUICK_MODE request 2572835224 [ HASH SA No KE ID ID ]
sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
parsed QUICK_MODE response 2572835224 [ HASH SA No KE ID ID ]
CHILD_SA home{1} established with SPIs cba38bd9_i d6f6f51c_o and TS 
10.20.223.225/32 === 0.0.0.0/0
root at hoare: ~$>

Executing 'ip route list' gives me:
default via 192.168.2.1 dev wlan0  proto static
192.168.2.0/24 dev wlan0  proto kernel  scope link  src 192.168.2.101

and 'ip list route table 220' shows:
default via 192.168.2.1 dev wlan0  proto static  src 10.20.223.225

The command 'ip xfrm policy' gives back:
src 0.0.0.0/0 dst 10.20.223.225/32
         dir fwd priority 1923
         tmpl src  dst 192.168.2.101
                 proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 10.20.223.225/32
         dir in priority 1923
         tmpl src 195.1.2.3 dst 192.168.2.101
                 proto esp reqid 2 mode tunnel
src 10.20.223.225/32 dst 0.0.0.0/0
         dir out priority 1923
         tmpl src 192.168.2.101 dst 195.1.2.3
                 proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
         socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
         socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
         socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
         socket out priority 0
src ::/0 dst ::/0
         socket in priority 0
src ::/0 dst ::/0
         socket out priority 0
src ::/0 dst ::/0
         socket in priority 0
src ::/0 dst ::/0
         socket out priority 0

After a minute or two if I re-execute 'ip route list table 220' I get no 
output, table 220 is empty. Is this correct? I also see, that the 
offered DNS servers are deleted from /etc/resolv.conf.

After I established the tunnel using the above mentioned configuration 
and I try to enter one of our Intranet-Sites I see a lot of ESP traffic 
(using wireshark) but I never get back an answer.

Using the NCP client under windows I can see that the client installs a 
virtual network interface. Connecting to the gateway the client assignes 
the offered virtual IP to this interface. I am also able to connect into 
the companys intranet using my HTC smartphone with its pre installed VPN 
client. So, i think there is no special protocol behaviour of the NCP 
VPN gateway.

I will apprecitate any help.

Thanks and regards

Markus

More information about the Users mailing list