[strongSwan] site-to-host problem

cgallucci at inwind.it cgallucci at inwind.it
Wed Jul 3 09:05:11 CEST 2013


HI all.
I'm new about Strongswan and i'm stucced about following problem.
I have I VPN configurered on a test platofrm and all works fine.
My conf are following:
Ipsec.conf:

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev1
        mobike=no

conn euronet_10_21
        esp=aes256-md5-modp1024!
        ike=aes256-md5-modp1024!
        ikelifetime=1h
        lifetime=1h
        leftid=95.229.254.18
        lifebytes=4608000
        left=192.168.1.103
        leftsubnet=192.168.1.103/32
        right=89.96.89.244
        rightsubnet=10.21.129.1/32
        auto=start
        keyexchange=ikev1
        leftfirewall=yes
        type=tunnel
        lefthostaccess=yes

ON test  my pc (192.168.1.103) as you see is behind a gateway.

I trasport this congfiguration on my production server  but it doesn't work.
Ipsec.conf:

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev1
        mobike=no
conn euronet_10_21
        esp=aes256-md5-modp1024!
         ike=aes256-md5-modp1024!
        ikelifetime=1h
        lifetime=1h
        leftid=46.37.24.109
        lifebytes=4608000
        left=46.37.24.109
        leftsubnet=46.37.24.109/32
        right=89.96.89.244
        rightsubnet=10.21.129.1/32
        #auto=start
        keyexchange=ikev1
        leftfirewall=yes
        type=tunnel
        lefthostaccess=yes

ON production  my pc (46.37.24.109) direct connect to internet.

Ipsec statusall on production is this:
[root at admin23775895 ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.32-279.22.1.el6.
x86_64, x86_64):
  uptime: 11 minutes, since Jul 03 08:30:34 2013
  malloc: sbrk 233472, mmap 0, used 121856, free 111616
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, 
scheduled: 2
  loaded plugins: charon aes des sha1 sha2 md5 random nonce gmp hmac stroke 
kernel-netlink socket-default updown
Listening IP addresses:
  46.37.24.109
Connections:
host-to-host:  46.37.24.109...89.96.89.244  IKEv1
host-to-host:   local:  [46.37.24.109] uses pre-shared key authentication
host-to-host:   remote: [89.96.89.244] uses pre-shared key authentication
host-to-host:   child:  46.37.24.109/32 === 10.21.129.1/32 TUNNEL
Routed Connections:
host-to-host{1}:  ROUTED, TUNNEL
host-to-host{1}:   46.37.24.109/32 === 10.21.129.1/32
Security Associations (1 up, 0 connecting):
host-to-host[1]: ESTABLISHED 11 minutes ago, 46.37.24.109[46.37.24.109]...
89.96.89.244[89.96.89.244]
host-to-host[1]: IKEv1 SPIs: 0f3f1f6ec7b4f4c7_i* b3ad1d0905f03590_r, pre-
shared key reauthentication in 43 minutes
host-to-host[1]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024


Connection is ESTABLISHED by tunnel doesn come up.
Charon.log is:
tail: charon.log: file truncated
Jul  3 08:30:34 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 
2.6.32-279.22.1.el6.x86_64, x86_64)
Jul  3 08:30:34 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.
d/cacerts'
Jul  3 08:30:34 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.
d/aacerts'
Jul  3 08:30:34 00[CFG] loading ocsp signer certificates from 
'/usr/local/etc/ipsec.d/ocspcerts'
Jul  3 08:30:34 00[CFG] loading attribute certificates from 
'/usr/local/etc/ipsec.d/acerts'
Jul  3 08:30:34 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jul  3 08:30:34 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jul  3 08:30:34 00[CFG]   loaded IKE secret for %any 46.37.24.109 89.96.89.244
Jul  3 08:30:34 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random 
nonce gmp hmac stroke kernel-netlink socket-
default                                          updown
Jul  3 08:30:34 00[JOB] spawning 16 worker threads
Jul  3 08:30:34 08[CFG] received stroke: add connection 'host-to-host'
Jul  3 08:30:34 08[CFG] added configuration 'host-to-host'
Jul  3 08:30:34 10[CFG] received stroke: route 'host-to-host'
Jul  3 08:30:53 01[KNL] creating acquire job for policy 46.37.24.109/32[tcp] 
=== 10.21.129.1/32[tcp/optocontrol] with reqid {1}
Jul  3 08:30:53 14[IKE] initiating Main Mode IKE_SA host-to-host[1] to 
89.96.89.244
Jul  3 08:30:53 14[ENC] generating ID_PROT request 0 [ SA V V V V ]
Jul  3 08:30:53 14[NET] sending packet: from 46.37.24.109[500] to 89.96.89.244
[500] (156 bytes)
Jul  3 08:30:53 15[NET] received packet: from 89.96.89.244[500] to 46.37.24.109
[500] (104 bytes)
Jul  3 08:30:53 15[ENC] parsed ID_PROT response 0 [ SA V ]
Jul  3 08:30:53 15[IKE] received NAT-T (RFC 3947) vendor ID
Jul  3 08:30:53 15[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul  3 08:30:53 15[NET] sending packet: from 46.37.24.109[500] to 89.96.89.244
[500] (236 bytes)
Jul  3 08:30:53 07[NET] received packet: from 89.96.89.244[500] to 46.37.24.109
[500] (296 bytes)
Jul  3 08:30:53 07[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D 
]
Jul  3 08:30:53 07[ENC] generating ID_PROT request 0 [ ID HASH ]
Jul  3 08:30:53 07[NET] sending packet: from 46.37.24.109[500] to 89.96.89.244
[500] (76 bytes)
Jul  3 08:30:54 09[NET] received packet: from 89.96.89.244[500] to 46.37.24.109
[500] (76 bytes)
Jul  3 08:30:54 09[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jul  3 08:30:54 09[IKE] IKE_SA host-to-host[1] established between 46.37.24.109
[46.37.24.109]...89.96.89.244[89.96.89.244]
Jul  3 08:30:54 09[IKE] scheduling reauthentication in 3268s
Jul  3 08:30:54 09[IKE] maximum IKE_SA lifetime 3448s
Jul  3 08:30:54 09[ENC] generating QUICK_MODE request 342219800 [ HASH SA No 
KE ID ID ]
Jul  3 08:30:54 09[NET] sending packet: from 46.37.24.109[500] to 89.96.89.244
[500] (300 bytes)
Jul  3 08:30:54 08[NET] received packet: from 89.96.89.244[500] to 46.37.24.109
[500] (92 bytes)
Jul  3 08:30:54 08[ENC] parsed INFORMATIONAL_V1 request 1534590516 [ HASH N
(NO_PROP) ]
Jul  3 08:30:54 08[IKE] received NO_PROPOSAL_CHOSEN error notify

What's the problem?

Thanks in advance.

Carmelo GAllucci




_________________________
Ing. Carmelo Gallucci
Tecnoplus S.a.s

Via Torre Alta Inferiore snc
Palazzo Carbone 87100 Cosenza
Tel. 0984395038 (Interno 42)  Fax. 09841800580
Cell. 3497609477
Skype. Carmelogallucci
Mail. carmelo.gallucci at tecnoplus.biz
PEC. pec.tecnoplus at cert.telecompec.it
URL. http://www.tecnoplus.biz






More information about the Users mailing list