[strongSwan] Roadwarrior Config

Andreas Steffen andreas.steffen at strongswan.org
Thu May 10 06:29:28 CEST 2012 

Hi Chris,

1) IKEv1 comes with XAUTH whereas IKEv2 goes with EAP, so please
   don't mix up hose client authentication methods. Several IKEv2
   EAP examples can be found under the link

   http://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples

   or interoperating with the Windows 7 client (case B) under

   http://wiki.strongswan.org/projects/strongswan/wiki/Windows7

2) If strongSwan is a VPN gateway with right=%any then it always
   acts as a passive responder (how should it initiate a connection
   if the client's destination IP address is not known?)
   Thus ipsec up rclients does not make sense.
   Just execute ipsec start and wait for the clients to connect.

Best regards

Andreas

2)On 05/09/2012 11:53 PM, Chris Arnold wrote:
> StrongSwan 4.4.x on SLES11 SP2. We have an existing site-to-site ikev2 with certs. Now we want to add roadwarrior config to strongswan and use Windoze 7 VPN client xauth with mobike. Here si the ipsec.conf:
> config setup
> 	# plutodebug=all
> 	  crlcheckinterval=600
> 	  strictcrlpolicy=no
> 	# cachecrls=yes
> 	  nat_traversal=yes
> 	# charonstart=no
> 	  plutostart=no
> 
> # Add connections here.
> 
> conn %default
> 	ikelifetime=28800s
> 	keylife=20m
> 	rekeymargin=3m
> 	keyingtries=1
> 	#authby=secret
> 	keyexchange=ikev2
> 	mobike=no
> 
> conn rclients
> 	keyexchange=ikev2
> 	authby=xauthrsasig
> 	xauth=server
> 	left=192.168.1.18
> 	leftcert=moonCert.pem
> 	#leftid=
> 	leftsubnet=192.168.1.0/24
> 	right=%any
> 	auto=add
> 
> conn teknerds
> 	left=%defaultroute
> 	leftcert=moonCert.pem
> 	leftsubnet=192.168.1.0/24
> 	right=right.pub.ip
> 	rightsubnet=192.168.123.0/24
> 	rightcert=sunCert.pem
> 	rightid="sunid"
> 	auto=add
> 
> ipsec up rclients does nothing on moon server:
> ELC:~ # ipsec up rclients
> ELC:~ #
> 
> Ipsec statusall shows only the teknerds tunnel. I have been following:
> http://www.strongswan.org/uml/testresults/ikev1/xauth-rsa-mode-config/index.html
> 
> Also, how is ip address handled in this config? Can the client pull an ip from the dhcp server?
> Thanks for any help
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list