[strongSwan] site-to-host problem
cgallucci at inwind.it
cgallucci at inwind.it
Wed Jul 3 09:05:11 CEST 2013
HI all.
I'm new about Strongswan and i'm stucced about following problem.
I have I VPN configurered on a test platofrm and all works fine.
My conf are following:
Ipsec.conf:
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no
conn euronet_10_21
esp=aes256-md5-modp1024!
ike=aes256-md5-modp1024!
ikelifetime=1h
lifetime=1h
leftid=95.229.254.18
lifebytes=4608000
left=192.168.1.103
leftsubnet=192.168.1.103/32
right=89.96.89.244
rightsubnet=10.21.129.1/32
auto=start
keyexchange=ikev1
leftfirewall=yes
type=tunnel
lefthostaccess=yes
ON test my pc (192.168.1.103) as you see is behind a gateway.
I trasport this congfiguration on my production server but it doesn't work.
Ipsec.conf:
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no
conn euronet_10_21
esp=aes256-md5-modp1024!
ike=aes256-md5-modp1024!
ikelifetime=1h
lifetime=1h
leftid=46.37.24.109
lifebytes=4608000
left=46.37.24.109
leftsubnet=46.37.24.109/32
right=89.96.89.244
rightsubnet=10.21.129.1/32
#auto=start
keyexchange=ikev1
leftfirewall=yes
type=tunnel
lefthostaccess=yes
ON production my pc (46.37.24.109) direct connect to internet.
Ipsec statusall on production is this:
[root at admin23775895 ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.32-279.22.1.el6.
x86_64, x86_64):
uptime: 11 minutes, since Jul 03 08:30:34 2013
malloc: sbrk 233472, mmap 0, used 121856, free 111616
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon aes des sha1 sha2 md5 random nonce gmp hmac stroke
kernel-netlink socket-default updown
Listening IP addresses:
46.37.24.109
Connections:
host-to-host: 46.37.24.109...89.96.89.244 IKEv1
host-to-host: local: [46.37.24.109] uses pre-shared key authentication
host-to-host: remote: [89.96.89.244] uses pre-shared key authentication
host-to-host: child: 46.37.24.109/32 === 10.21.129.1/32 TUNNEL
Routed Connections:
host-to-host{1}: ROUTED, TUNNEL
host-to-host{1}: 46.37.24.109/32 === 10.21.129.1/32
Security Associations (1 up, 0 connecting):
host-to-host[1]: ESTABLISHED 11 minutes ago, 46.37.24.109[46.37.24.109]...
89.96.89.244[89.96.89.244]
host-to-host[1]: IKEv1 SPIs: 0f3f1f6ec7b4f4c7_i* b3ad1d0905f03590_r, pre-
shared key reauthentication in 43 minutes
host-to-host[1]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Connection is ESTABLISHED by tunnel doesn come up.
Charon.log is:
tail: charon.log: file truncated
Jul 3 08:30:34 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux
2.6.32-279.22.1.el6.x86_64, x86_64)
Jul 3 08:30:34 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.
d/cacerts'
Jul 3 08:30:34 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.
d/aacerts'
Jul 3 08:30:34 00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
Jul 3 08:30:34 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
Jul 3 08:30:34 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jul 3 08:30:34 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jul 3 08:30:34 00[CFG] loaded IKE secret for %any 46.37.24.109 89.96.89.244
Jul 3 08:30:34 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random
nonce gmp hmac stroke kernel-netlink socket-
default updown
Jul 3 08:30:34 00[JOB] spawning 16 worker threads
Jul 3 08:30:34 08[CFG] received stroke: add connection 'host-to-host'
Jul 3 08:30:34 08[CFG] added configuration 'host-to-host'
Jul 3 08:30:34 10[CFG] received stroke: route 'host-to-host'
Jul 3 08:30:53 01[KNL] creating acquire job for policy 46.37.24.109/32[tcp]
=== 10.21.129.1/32[tcp/optocontrol] with reqid {1}
Jul 3 08:30:53 14[IKE] initiating Main Mode IKE_SA host-to-host[1] to
89.96.89.244
Jul 3 08:30:53 14[ENC] generating ID_PROT request 0 [ SA V V V V ]
Jul 3 08:30:53 14[NET] sending packet: from 46.37.24.109[500] to 89.96.89.244
[500] (156 bytes)
Jul 3 08:30:53 15[NET] received packet: from 89.96.89.244[500] to 46.37.24.109
[500] (104 bytes)
Jul 3 08:30:53 15[ENC] parsed ID_PROT response 0 [ SA V ]
Jul 3 08:30:53 15[IKE] received NAT-T (RFC 3947) vendor ID
Jul 3 08:30:53 15[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 3 08:30:53 15[NET] sending packet: from 46.37.24.109[500] to 89.96.89.244
[500] (236 bytes)
Jul 3 08:30:53 07[NET] received packet: from 89.96.89.244[500] to 46.37.24.109
[500] (296 bytes)
Jul 3 08:30:53 07[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D
]
Jul 3 08:30:53 07[ENC] generating ID_PROT request 0 [ ID HASH ]
Jul 3 08:30:53 07[NET] sending packet: from 46.37.24.109[500] to 89.96.89.244
[500] (76 bytes)
Jul 3 08:30:54 09[NET] received packet: from 89.96.89.244[500] to 46.37.24.109
[500] (76 bytes)
Jul 3 08:30:54 09[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jul 3 08:30:54 09[IKE] IKE_SA host-to-host[1] established between 46.37.24.109
[46.37.24.109]...89.96.89.244[89.96.89.244]
Jul 3 08:30:54 09[IKE] scheduling reauthentication in 3268s
Jul 3 08:30:54 09[IKE] maximum IKE_SA lifetime 3448s
Jul 3 08:30:54 09[ENC] generating QUICK_MODE request 342219800 [ HASH SA No
KE ID ID ]
Jul 3 08:30:54 09[NET] sending packet: from 46.37.24.109[500] to 89.96.89.244
[500] (300 bytes)
Jul 3 08:30:54 08[NET] received packet: from 89.96.89.244[500] to 46.37.24.109
[500] (92 bytes)
Jul 3 08:30:54 08[ENC] parsed INFORMATIONAL_V1 request 1534590516 [ HASH N
(NO_PROP) ]
Jul 3 08:30:54 08[IKE] received NO_PROPOSAL_CHOSEN error notify
What's the problem?
Thanks in advance.
Carmelo GAllucci
_________________________
Ing. Carmelo Gallucci
Tecnoplus S.a.s
Via Torre Alta Inferiore snc
Palazzo Carbone 87100 Cosenza
Tel. 0984395038 (Interno 42) Fax. 09841800580
Cell. 3497609477
Skype. Carmelogallucci
Mail. carmelo.gallucci at tecnoplus.biz
PEC. pec.tecnoplus at cert.telecompec.it
URL. http://www.tecnoplus.biz
More information about the Users
mailing list