[strongSwan] Help with Strongswan configuration (Virtual-IP, Subnet, DNS, ...) needed

Markus Mazurczak markus at markus-mazurczak.de
Sun Dec 23 13:03:25 CET 2012


Hi Andreas,

thanks for your reply.

While connecting to the gateway I took a look at the system log. 
Everything seems fine. But after a minute I receive an DELETE_V1 payload 
from the gateway which apparently causes strongswan to delete the routes 
on my notebook:

Dec 23 12:36:05 hoare charon: 15[ENC] parsing DELETE_V1 payload finished
Dec 23 12:36:05 hoare charon: 15[ENC] parsed content of encryption payload
Dec 23 12:36:05 hoare charon: 15[ENC] insert decrypted payload of type 
HASH_V1 at end of list
Dec 23 12:36:05 hoare charon: 15[ENC] insert decrypted payload of type 
DELETE_V1 at end of list
Dec 23 12:36:05 hoare charon: 15[ENC] process payload of type HASH_V1
Dec 23 12:36:05 hoare charon: 15[ENC] process payload of type DELETE_V1
Dec 23 12:36:05 hoare charon: 15[ENC] verifying message structure
Dec 23 12:36:05 hoare charon: 15[ENC] found payload of type DELETE_V1
Dec 23 12:36:05 hoare charon: 15[ENC] parsed INFORMATIONAL_V1 request 
102917672 [ HASH D ]
Dec 23 12:36:05 hoare charon: 15[IKE] Hash => 32 bytes @ 0x7fce3c000d00
Dec 23 12:36:05 hoare charon: 15[IKE]    ...
Dec 23 12:36:05 hoare charon: 15[ENC] HASH received => 32 bytes @ 
0x7fce3c000d50
Dec 23 12:36:05 hoare charon: 15[ENC]    ...
Dec 23 12:36:05 hoare charon: 15[ENC] HASH expected => 32 bytes @ 
0x7fce3c000d00
Dec 23 12:36:05 hoare charon: 15[ENC]    ...
Dec 23 12:36:05 hoare charon: 15[IKE] next IV for MID 102917672 => 16 
bytes @ 0x7fce3c000d30
Dec 23 12:36:05 hoare charon: 15[IKE]    ...
Dec 23 12:36:05 hoare charon: 15[IKE] received DELETE for ESP CHILD_SA 
with SPI 8cb72da0
Dec 23 12:36:05 hoare charon: 15[KNL] querying SAD entry with SPI 
cd535e7a  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] sending XFRM_MSG_GETSA: => 40 
bytes @ 0x7fce43ffe620
Dec 23 12:36:05 hoare charon: 15[KNL]    ...
Dec 23 12:36:05 hoare charon: 15[KNL] querying SAD entry with SPI 
8cb72da0  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] sending XFRM_MSG_GETSA: => 40 
bytes @ 0x7fce43ffe620
Dec 23 12:36:05 hoare charon: 15[KNL]    ...
Dec 23 12:36:05 hoare charon: 15[KNL] querying policy 10.20.223.203/32 
=== 0.0.0.0/0 out  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] sending XFRM_MSG_GETPOLICY: => 80 
bytes @ 0x7fce43ffe620
Dec 23 12:36:05 hoare charon: 15[KNL]    ...
Dec 23 12:36:05 hoare charon: 15[IKE] closing CHILD_SA home{1} with SPIs 
cd535e7a_i (0 bytes) 8cb72da0_o (1226 bytes) and TS 10.20.223.203/32 === 
0.0.0.0/0
Dec 23 12:36:05 hoare charon: 15[KNL] deleting SAD entry with SPI 
cd535e7a  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] sending XFRM_MSG_DELSA: => 40 
bytes @ 0x7fce43ffe620
Dec 23 12:36:05 hoare charon: 15[KNL]    ...
Dec 23 12:36:05 hoare charon: 15[KNL] deleted SAD entry with SPI 
cd535e7a (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] deleting SAD entry with SPI 
8cb72da0  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] sending XFRM_MSG_DELSA: => 40 
bytes @ 0x7fce43ffe620
Dec 23 12:36:05 hoare charon: 15[KNL]    ...
Dec 23 12:36:05 hoare charon: 15[KNL] deleted SAD entry with SPI 
8cb72da0 (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] deleting policy 10.20.223.203/32 
=== 0.0.0.0/0 out  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] policy still used by another 
CHILD_SA, not removed
Dec 23 12:36:05 hoare charon: 15[KNL] updating policy 10.20.223.203/32 
=== 0.0.0.0/0 out  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] sending XFRM_MSG_UPDPOLICY: => 184 
bytes @ 0x7fce43ffe0a0
Dec 23 12:36:05 hoare charon: 15[KNL]    ...
Dec 23 12:36:05 hoare charon: 15[KNL] deleting policy 0.0.0.0/0 === 
10.20.223.203/32 in  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] policy still used by another 
CHILD_SA, not removed
Dec 23 12:36:05 hoare charon: 15[KNL] updating policy 0.0.0.0/0 === 
10.20.223.203/32 in  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] sending XFRM_MSG_UPDPOLICY: => 184 
bytes @ 0x7fce43ffe0a0
Dec 23 12:36:05 hoare charon: 15[KNL]    ...
Dec 23 12:36:05 hoare charon: 15[KNL] deleting policy 0.0.0.0/0 === 
10.20.223.203/32 fwd  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] policy still used by another 
CHILD_SA, not removed
Dec 23 12:36:05 hoare charon: 15[KNL] updating policy 0.0.0.0/0 === 
10.20.223.203/32 fwd  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] sending XFRM_MSG_UPDPOLICY: => 184 
bytes @ 0x7fce43ffe0a0
Dec 23 12:36:05 hoare charon: 15[KNL]    ...
Dec 23 12:36:05 hoare charon: 15[KNL] getting a local address in traffic 
selector 10.20.223.203/32
Dec 23 12:36:05 hoare charon: 15[KNL] using host 10.20.223.203
Dec 23 12:36:05 hoare charon: 15[KNL] using 192.168.2.1 as nexthop to 
reach 195.1.2.3
Dec 23 12:36:05 hoare charon: 15[KNL] 192.168.2.101 is on interface wlan0
Dec 23 12:36:05 hoare charon: 15[KNL] deleting policy 10.20.223.203/32 
=== 0.0.0.0/0 out  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] sending XFRM_MSG_DELPOLICY: => 80 
bytes @ 0x7fce43ffe5e0
Dec 23 12:36:05 hoare charon: 15[KNL]    ...
Dec 23 12:36:05 hoare charon: 15[KNL] deleting policy 0.0.0.0/0 === 
10.20.223.203/32 in  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] sending XFRM_MSG_DELPOLICY: => 80 
bytes @ 0x7fce43ffe5e0
Dec 23 12:36:05 hoare charon: 15[KNL]    ...
Dec 23 12:36:05 hoare charon: 15[KNL] deleting policy 0.0.0.0/0 === 
10.20.223.203/32 fwd  (mark 0/0x00000000)
Dec 23 12:36:05 hoare charon: 15[KNL] getting iface index for wlan0
Dec 23 12:36:05 hoare charon: 15[KNL] sending XFRM_MSG_DELPOLICY: => 80 
bytes @ 0x7fce43ffe5e0
Dec 23 12:36:05 hoare charon: 15[KNL]    ...
Dec 23 12:36:05 hoare charon: 15[MGR] checkin IKE_SA home[1]
Dec 23 12:36:05 hoare charon: 15[MGR] check-in of IKE_SA successful.
Dec 23 12:36:05 hoare charon: 02[MGR] IKE_SA home[1] successfully 
checked out
Dec 23 12:36:05 hoare charon: 02[NET] received packet: from 
195.1.2.3[4500] to 192.168.2.101[4500]
Dec 23 12:36:05 hoare charon: 02[ENC] parsing body of message, first 
payload is HASH_V1
Dec 23 12:36:05 hoare charon: 02[ENC] parsing ENCRYPTED_V1 payload, 64 
bytes left
Dec 23 12:36:05 hoare charon: 02[ENC] parsing payload from => 64 bytes @ 
0x7fce4c001590
Dec 23 12:36:05 hoare charon: 02[ENC]    ...
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 0 ENCRYPTED_DATA
Dec 23 12:36:05 hoare charon: 02[ENC]    => 64 bytes @ 0x7fce38004820
Dec 23 12:36:05 hoare charon: 02[ENC]    ...
Dec 23 12:36:05 hoare charon: 02[ENC] parsing ENCRYPTED_V1 payload finished
Dec 23 12:36:05 hoare charon: 02[ENC] process payload of type ENCRYPTED_V1
Dec 23 12:36:05 hoare charon: 02[ENC] found an encryption payload
Dec 23 12:36:05 hoare charon: 02[IKE] next IV for MID 1371129235 => 16 
bytes @ 0x7fce38004440
Dec 23 12:36:05 hoare charon: 02[IKE]    ...
Dec 23 12:36:05 hoare charon: 02[ENC] decrypting payloads:
Dec 23 12:36:05 hoare charon: 02[ENC] encrypted => 64 bytes @ 0x7fce38004820
Dec 23 12:36:05 hoare charon: 02[ENC]    ...
Dec 23 12:36:05 hoare charon: 02[ENC] plain => 64 bytes @ 0x7fce38004820
Dec 23 12:36:05 hoare charon: 02[ENC]    ...
Dec 23 12:36:05 hoare charon: 02[ENC] parsing HASH_V1 payload, 64 bytes left
Dec 23 12:36:05 hoare charon: 02[ENC] parsing payload from => 64 bytes @ 
0x7fce38004820
Dec 23 12:36:05 hoare charon: 02[ENC]    ...
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 0 U_INT_8
Dec 23 12:36:05 hoare charon: 02[ENC]    => 12
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 1 RESERVED_BYTE
Dec 23 12:36:05 hoare charon: 02[ENC]    => 0
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 2 PAYLOAD_LENGTH
Dec 23 12:36:05 hoare charon: 02[ENC]    => 36
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 3 CHUNK_DATA
Dec 23 12:36:05 hoare charon: 02[ENC]    => 32 bytes @ 0x7fce38001a00
Dec 23 12:36:05 hoare charon: 02[ENC]    ...
Dec 23 12:36:05 hoare charon: 02[ENC] parsing HASH_V1 payload finished
Dec 23 12:36:05 hoare charon: 02[ENC] parsing DELETE_V1 payload, 28 
bytes left
Dec 23 12:36:05 hoare charon: 02[ENC] parsing payload from => 28 bytes @ 
0x7fce38004844
Dec 23 12:36:05 hoare charon: 02[ENC]    ...
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 0 U_INT_8
Dec 23 12:36:05 hoare charon: 02[ENC]    => 0
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 1 RESERVED_BIT
Dec 23 12:36:05 hoare charon: 02[ENC]    => 0
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 2 RESERVED_BIT
Dec 23 12:36:05 hoare charon: 02[ENC]    => 0
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 3 RESERVED_BIT
Dec 23 12:36:05 hoare charon: 02[ENC]    => 0
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 4 RESERVED_BIT
Dec 23 12:36:05 hoare charon: 02[ENC]    => 0
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 5 RESERVED_BIT
Dec 23 12:36:05 hoare charon: 02[ENC]    => 0
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 6 RESERVED_BIT
Dec 23 12:36:05 hoare charon: 02[ENC]    => 0
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 7 RESERVED_BIT
Dec 23 12:36:05 hoare charon: 02[ENC]    => 0
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 8 RESERVED_BIT
Dec 23 12:36:05 hoare charon: 02[ENC]    => 0
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 9 PAYLOAD_LENGTH
Dec 23 12:36:05 hoare charon: 02[ENC]    => 28
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 10 U_INT_32
Dec 23 12:36:05 hoare charon: 02[ENC]    => 1
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 11 U_INT_8
Dec 23 12:36:05 hoare charon: 02[ENC]    => 1
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 12 U_INT_8
Dec 23 12:36:05 hoare charon: 02[ENC]    => 16
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 13 U_INT_16
Dec 23 12:36:05 hoare charon: 02[ENC]    => 1
Dec 23 12:36:05 hoare charon: 02[ENC]   parsing rule 14 CHUNK_DATA
Dec 23 12:36:05 hoare charon: 02[ENC]    => 16 bytes @ 0x7fce38001060
Dec 23 12:36:05 hoare charon: 02[ENC]    ...
Dec 23 12:36:05 hoare charon: 02[ENC] parsing DELETE_V1 payload finished
Dec 23 12:36:05 hoare charon: 02[ENC] parsed content of encryption payload
Dec 23 12:36:05 hoare charon: 02[ENC] insert decrypted payload of type 
HASH_V1 at end of list
Dec 23 12:36:05 hoare charon: 02[ENC] insert decrypted payload of type 
DELETE_V1 at end of list
Dec 23 12:36:05 hoare charon: 02[ENC] process payload of type HASH_V1
Dec 23 12:36:05 hoare charon: 02[ENC] process payload of type DELETE_V1
Dec 23 12:36:05 hoare charon: 02[ENC] verifying message structure
Dec 23 12:36:05 hoare charon: 02[ENC] found payload of type DELETE_V1
Dec 23 12:36:05 hoare charon: 02[ENC] parsed INFORMATIONAL_V1 request 
1371129235 [ HASH D ]
Dec 23 12:36:05 hoare charon: 02[IKE] Hash => 32 bytes @ 0x7fce38001010
Dec 23 12:36:05 hoare charon: 02[IKE]    ...
Dec 23 12:36:05 hoare charon: 02[ENC] HASH received => 32 bytes @ 
0x7fce38001a00
Dec 23 12:36:05 hoare charon: 02[ENC]    ...
Dec 23 12:36:05 hoare charon: 02[ENC] HASH expected => 32 bytes @ 
0x7fce38001010
Dec 23 12:36:05 hoare charon: 02[ENC]    ...
Dec 23 12:36:05 hoare charon: 02[IKE] next IV for MID 1371129235 => 16 
bytes @ 0x7fce38001040
Dec 23 12:36:05 hoare charon: 02[IKE]    ...
Dec 23 12:36:05 hoare charon: 02[IKE] received DELETE for IKE_SA home[1]
Dec 23 12:36:05 hoare charon: 02[IKE] deleting IKE_SA home[1] between 
192.168.2.101[192.168.2.101]...195.1.2.3[10.20.223.136]
Dec 23 12:36:05 hoare charon: 02[IKE] IKE_SA home[1] state change: 
ESTABLISHED => DELETING
Dec 23 12:36:05 hoare charon: 02[MGR] checkin and destroy IKE_SA home[1]
Dec 23 12:36:05 hoare charon: 02[IKE] IKE_SA home[1] state change: 
DELETING => DESTROYING
Dec 23 12:36:05 hoare charon: 02[IKE] removing DNS server 10.20.100.21 
from /etc/resolv.conf
Dec 23 12:36:05 hoare charon: 02[IKE] removing DNS server 10.20.151.21 
from /etc/resolv.conf
Dec 23 12:36:05 hoare charon: 02[KNL] deleting virtual IP 10.20.223.203
Dec 23 12:36:05 hoare charon: 02[MGR] check-in and destroy of IKE_SA 
successful
Dec 23 12:36:11 hoare charon: 03[JOB] got event, queuing job for execution
Dec 23 12:36:11 hoare charon: 03[JOB] next event in 3231s 862ms, waiting
Dec 23 12:36:11 hoare charon: 14[MGR] checkout IKE_SA

I have no access to the logfiles of the gateway but I can ask the admin 
to give me the logs if necessary.

Do you have an idea if there is some wrong configuration on my side?

Regards

Markus


On 12/23/2012 08:53 AM, Andreas Steffen wrote:
> Hi Markus,
>
> looking at your log and your ip xfrm and ip route entries the
> connection seems successfully up and running.
> Actually the table 220 entry
>
>   default via 192.168.2.1 dev wlan0  proto static  src 10.20.223.225
>
> implements the virtual interface. If you notice that this route
> disappears then the NCP gateway might have deleted the connection.
> Do you register any further log entries?
>
> Regards
>
> Andreas
>
> On 22.12.2012 17:01, Markus Mazurczak wrote:
>> Hi all,
>>
>> I am trying to configure strongswan since 2 weeks now and I am not able
>> to get a working connection.
>>
>> I hope that someone can help me.
>>
>> What I try to do:
>>
>> I want to connect into the intranet of the company I am working for
>> using my Laptop. We have an NCP Secure Communications gateway Server
>> installed which uses a PSK and XAuth for authentication and 
>> authorization.
>> That gateway offeres a new IP address (Virtual-IP) and 2 DNS Servers.
>>
>> I use Strongswan 5.0.1 at Archlinux.
>>
>> Until now I managed to get a working connection. This means, that I can
>> build up the IPSec tunnel.
>>
>> This is my actual configuration (IP's are not the correct ones ;)).
>>
>> strongswan.conf
>> ------------------------
>> # strongswan.conf - strongSwan configuration file
>>
>> charon {
>>       # number of worker threads in charon
>>       threads = 16
>>       #port_nat_t = 4500
>>       #load = aes des sha1 sha2 md5 gmp random nonce hmac stroke
>> kernel-netlink socket-default updown resolv request_virtual_ip
>> }
>>
>> pluto {
>>
>> }
>>
>> libstrongswan {
>>
>>       #  set to no, the DH exponent size is optimized
>>       #  dh_exponent_ansi_x9_42 = no
>> }
>>
>> ipsec.conf:
>> ---------------
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>>       charondebug="dmn 4, mgr 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl
>> 4, net 4, asn 4, enc 4, lib 4, esp 4, tls 4, tnc 4, imc 4, imv 4, pts 4"
>>
>> conn %default
>>       ikelifetime=60m
>>       keylife=20m
>>       rekeymargin=3m
>>       keyingtries=1
>>       keyexchange=ikev1
>>       aggressive=no
>>       compress=no
>>       esp=aes256-sha256--modp1024
>>       ike=aes256-sha256--modp1024
>>       installpolicy=yes
>>       type=tunnel
>>       leftikeport=4500
>>       rightikeport=4500
>>       mobike=yes
>>
>> conn home
>>       left=%any
>>       leftsourceip=%config
>>       leftfirewall=no
>>       leftauth=psk
>>       leftauth2=xauth
>>       right=195.1.2.3
>>       rightsubnet=0.0.0.0/0
>>       rightauth=psk
>>       rightid=%any
>>       xauth_identity=myUsername
>>       auto=add
>>
>> ipsec.secrets:
>> ------------------
>> : PSK "PreSharedKey"
>> : XAUTH "MyPassword"
>>
>>
>> 195.1.2.3 is the IP of the public interface of our VPN gateway. By now I
>> want to tunnel all my traffic. Thats why I configured 
>> rightsubnet=0.0.0.0/0.
>>
>> Here is the topology of what I am trying:
>>
>> I am using an Notebook with an IP of 192.168.2.101 and I am behind a
>> router which has the IP 192.168.2.1. I want to build up a tunnel to the
>> Gateway 195.1.2.3, the gateway offers me an IP address always from the
>> pool 10.20.223.0/24 and from that point I think all my traffic should go
>> through the tunnel to the gateway 195.1.2.3 with an source IP of
>> 10.20.223.0/24.
>>
>> If I start building the tunnel i see the following output:
>>
>> root at hoare: ~$>ipsec up home
>> initiating Main Mode IKE_SA home[1] to 195.1.2.3
>> generating ID_PROT request 0 [ SA V V V ]
>> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
>> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
>> parsed ID_PROT response 0 [ SA V V V V V V ]
>> received XAuth vendor ID
>> received NAT-T (RFC 3947) vendor ID
>> received DPD vendor ID
>> received unknown vendor ID:
>> 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:c0:00:00:00
>> received Cisco Unity vendor ID
>> received unknown vendor ID: 
>> c6:f5:7a:c3:98:f4:93:20:81:45:b7:58:1e:87:89:83
>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
>> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
>> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
>> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
>> local host is behind NAT, sending keep alives
>> remote host is behind NAT
>> generating ID_PROT request 0 [ ID HASH ]
>> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
>> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
>> parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
>> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
>> parsed TRANSACTION request 1390831875 [ HASH CP ]
>> generating TRANSACTION response 1390831875 [ HASH CP ]
>> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
>> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
>> parsed TRANSACTION request 4028851316 [ HASH CP ]
>> XAuth authentication of 'myUsername' (myself) successful
>> IKE_SA home[1] established between
>> 192.168.2.101[192.168.2.101]...195.1.2.3[10.20.223.136]
>> scheduling reauthentication in 3322s
>> maximum IKE_SA lifetime 3502s
>> generating TRANSACTION response 4028851316 [ HASH CP ]
>> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
>> generating TRANSACTION request 887603534 [ HASH CP ]
>> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
>> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
>> parsed TRANSACTION response 887603534 [ HASH CP ]
>> installing DNS server 10.20.100.21 to /etc/resolv.conf
>> installing DNS server 10.20.151.21 to /etc/resolv.conf
>> installing new virtual IP 10.20.223.225
>> generating QUICK_MODE request 2572835224 [ HASH SA No KE ID ID ]
>> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
>> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
>> parsed QUICK_MODE response 2572835224 [ HASH SA No KE ID ID ]
>> CHILD_SA home{1} established with SPIs cba38bd9_i d6f6f51c_o and TS
>> 10.20.223.225/32 === 0.0.0.0/0
>> root at hoare: ~$>
>>
>> Executing 'ip route list' gives me:
>> default via 192.168.2.1 dev wlan0  proto static
>> 192.168.2.0/24 dev wlan0  proto kernel  scope link  src 192.168.2.101
>>
>> and 'ip list route table 220' shows:
>> default via 192.168.2.1 dev wlan0  proto static  src 10.20.223.225
>>
>> The command 'ip xfrm policy' gives back:
>> src 0.0.0.0/0 dst 10.20.223.225/32
>>           dir fwd priority 1923
>>           tmpl src  dst 192.168.2.101
>>                   proto esp reqid 2 mode tunnel
>> src 0.0.0.0/0 dst 10.20.223.225/32
>>           dir in priority 1923
>>           tmpl src 195.1.2.3 dst 192.168.2.101
>>                   proto esp reqid 2 mode tunnel
>> src 10.20.223.225/32 dst 0.0.0.0/0
>>           dir out priority 1923
>>           tmpl src 192.168.2.101 dst 195.1.2.3
>>                   proto esp reqid 2 mode tunnel
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>           socket in priority 0
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>           socket out priority 0
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>           socket in priority 0
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>           socket out priority 0
>> src ::/0 dst ::/0
>>           socket in priority 0
>> src ::/0 dst ::/0
>>           socket out priority 0
>> src ::/0 dst ::/0
>>           socket in priority 0
>> src ::/0 dst ::/0
>>           socket out priority 0
>>
>> After a minute or two if I re-execute 'ip route list table 220' I get no
>> output, table 220 is empty. Is this correct? I also see, that the
>> offered DNS servers are deleted from /etc/resolv.conf.
>>
>> After I established the tunnel using the above mentioned configuration
>> and I try to enter one of our Intranet-Sites I see a lot of ESP traffic
>> (using wireshark) but I never get back an answer.
>>
>> Using the NCP client under windows I can see that the client installs a
>> virtual network interface. Connecting to the gateway the client assignes
>> the offered virtual IP to this interface. I am also able to connect into
>> the companys intranet using my HTC smartphone with its pre installed VPN
>> client. So, i think there is no special protocol behaviour of the NCP
>> VPN gateway.
>>
>> I will apprecitate any help.
>>
>> Thanks and regards
>>
>> Markus
>
>





More information about the Users mailing list