[strongSwan] Proxy ID handling
Markus Stockhausen
stockhausen at collogia.de
Mon Jan 28 21:34:58 CET 2013
Hello,
here my very simple strongswan configuration:
version 2
config setup
conn mytunnel
keyexchange=ikev1
left=a.b.c.d
right=e.f.g.h
leftsubnet=10.150.2.0/24
authby=psk
rightsubnet=192.168.10.0/24
auto=route
esp=aes128-md5-modp1024
ike=aes128-sha1-modp1024,aes-md5-modp1536
type=tunnel
On the other side a Juniper SSG is running. If I establish the tunnel with "ipsec start" & "ipsec up mytunnel"
everything works fine. The Juniper receives */24 ProxyIDs. On the other hand the tunnel won't get up if I only
do an "ipsec start" and try to ping a machine on the remote network. The Juniper device complains about
wrong */32 ProxyIDs. Here some lines of the strongswan log that may give a hint:
Jan 28 21:31:26 hermes daemon.info syslog: 03[ENC] parsed ID_PROT request 0 [ KE No ]
Jan 28 21:31:26 hermes daemon.info syslog: 08[KNL] creating acquire job for policy 10.150.2.97/32[icmp/8] === 192.168.10.1/32[icmp] with reqid {1}
Jan 28 21:31:26 hermes kern.debug kernel: [ 5042.102487] ip_finish_output2: No header cache and no neighbour!
Jan 28 21:31:26 hermes daemon.info syslog: 03[ENC] generating ID_PROT response 0 [ KE No ]
Maybe someone can help.
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130128/f3e5a27b/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: InterScan_Disclaimer.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130128/f3e5a27b/attachment.txt>
More information about the Users
mailing list