[strongSwan] Setup client using main mode/draft-ietf-ipsec-nat-t-ike-02

Andreas Steffen andreas.steffen at strongswan.org
Mon Jun 17 09:46:23 CEST 2013

Hi Damien,

no special ipsec interface is created. Linux automatically
routes traffic to an from the IPsec tunnel installed in
the kernel. This means that you don't need to do any
special configuration.



On 17.06.2013 09:08, Damien Benoist wrote:
> Martin,
> I did the changes you suggested.
> I now get a "connection 'cnx' established successfully.
> So it seems that the client and server now understand eachother.
> I expected to have a new network interface.
> Some threads are talking of an "ipsec" interface
> but I have none.
> So I just don't know how to use the connection.
> Can you tell me what I have to do now
> or point me to the right doc?
> Thanks again!
> 2013/6/11 Martin Willi <martin at strongswan.org>:
>> Damien,
>>> Encryption-Algorithm : 3DES-CBC
>>> Hash-Algorithm : SHA
>>> Alternate 1024-bit MODP group
>> The IKE proposal uses 3des-sha1, the responder might not like our
>> default set (aes128-sha1 or 3des-md5). You might try it with:
>>    ike=3des-sha1-modp1024!
>> But the default might work as well, depends on the responder what it
>> allows.
>>> Authentication-Method : XAUTHInitRSA
>> Looks like the responder expects RSA client authentication followed by
>> an XAuth exchange. You can configure this using:
>>    leftauth=pubkey
>>    leftauth2=xauth
>> Have a look at [1] for a complete example. Beside the
>> certificate/private key from the PKCS#12 container, you'll need a
>> password in ipsec.secrets.
>> Regards
>> Martin
>> [1]http://www.strongswan.org/uml/testresults/ikev1/xauth-rsa/index.html
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130617/382c69fc/attachment.bin>

More information about the Users mailing list