[strongSwan] Strongswan on Kali linux

Noel Kuntze noel at familie-kuntze.de
Fri Jul 4 13:21:28 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Arvindhar,

Please read [1]. 

[1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Also, if you have any iptables rules on the VPN server, you need to allow traffic between the LAN and IPsec peers.

Regards,
Noel Kuntze


GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 04.07.2014 13:14, schrieb Arvindhar Subbu:
> Dear Noel,
> 
> I'm unable to access network resources behind the VPN server.
> 
> _Kali Server_
> 
> Kali WAN - 11.12.13.15
> Kali LAN - 192.168.7.1
> LAN side server - 192.168.7.5
> 
> Test:
> 1. Road Warrior unable to reach 192.168.7.5 but pinging 192.168.7.1 over vpn connection
> 2. Got ping reply for ip 192.168.7.5 from Kali Server LAN interface 192.168.7.1
>  
> Any changes required in ipsec.conf or iptables?
> 
> Kindly suggest.
> 
> Thank you,
> s.s. arvindhar
> 
> 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> From: arvindhar at hotmail.com
> To: noel at familie-kuntze.de; users at lists.strongswan.org
> Subject: RE: [strongSwan] Strongswan on Kali linux
> Date: Thu, 3 Jul 2014 12:22:43 +0000
> 
> I changed to Main mode in client.
> 
> Thank you,
> s.s.arvindhar
> 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> From: arvindhar at hotmail.com
> To: noel at familie-kuntze.de; users at lists.strongswan.org
> Subject: RE: [strongSwan] Strongswan on Kali linux
> Date: Thu, 3 Jul 2014 12:21:53 +0000
> 
> Thank you Noel, It connected, Will update you once i finish the below tests
> 
> 1. NAT test
> 2. Ping communication test
> 3. Split tunnel test
> 4. Android test
> 5. iphone test
> 
> Thank you,
> s.s.arvindhar
> 
> 
> 
>> Date: Thu, 3 Jul 2014 13:39:48 +0200
>> From: noel at familie-kuntze.de
>> To: arvindhar at hotmail.com; users at lists.strongswan.org
>> Subject: Re: [strongSwan] Strongswan on Kali linux
>>
> Hello Arvindhar,
> 
> As I wrote before, you need to set aggressive=yes in conn %default or conn rw
> or make the Shrewsoft Client initiate in main mode, not aggressive mode.
> 
> Regards,
> Noel Kuntze
> 
> GPG Key id: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 03.07.2014 13:37, schrieb Arvindhar Subbu:
>> Dear Noel,
> 
>> Please check below ipsec.conf data. Kindly let me know if you want to know more details.
> 
>> ***********ipsec.conf************************************************
>> # ipsec.conf - strongSwan IPsec configuration file
>> # basic configuration
>> config setup
>> conn %default
>> type=tunnel
>> ike=aes128-sha1-modp2048,3des-sha1-modp1536
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev1
>> esp=aes128-sha1,3des-sha1
>> mobike=yes
>> leftikeport=4500
>> rightikeport=4500
>> conn rw
>> left=11.12.13.15
>> leftcert=gatewayCert.pem
>> leftid=arvindhar at gmail.com
>> leftfirewall=yes
>> right=%any
>> rightsourceip=192.168.20.0/24
>> auto=add
> 
>> # strictcrlpolicy=yes
>> # uniqueids = no
>> # Add connections here.
>> # Sample VPN connections
>> # conn sample-self-signed
>> # leftsubnet=10.1.0.0/16
>> # leftcert=selfCert.der
>> # leftsendcert=never
>> # right=192.168.0.2
>> # rightsubnet=10.2.0.0/16
>> # rightcert=peerCert.der
>> # auto=start
>> #conn sample-with-ca-cert
>> # leftsubnet=10.1.0.0/16
>> # leftcert=myCert.pem
>> # right=192.168.0.2
>> # rightsubnet=10.2.0.0/16
>> # rightid="C=CH, O=Linux strongSwan CN=peer name"
>> # auto=start
> 
>> ***************************************************************************
> 
>> Thank you,
>> s.s.arvindhar
> 
> 
>>> Date: Thu, 3 Jul 2014 12:30:08 +0200
>>> From: noel at familie-kuntze.de
>>> To: users at lists.strongswan.org
>>> Subject: Re: [strongSwan] Strongswan on Kali linux
> 
>> Hello Arvindhar,
> 
>> You need to set aggressive=yes in the conn. Also, please show us your ipsec.conf.
> 
>> Regards,
>> Noel Kuntze
> 
>> GPG Key id: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
>> Am 03.07.2014 11:58, schrieb Arvindhar Subbu:
>>> Hi,
> 
>>> Unable to connect to Strongswan server from Road warrior.
> 
>>> I'm following 2dd.it strongswan guide to deploy on kali linux as a server and windows 7 as a road warrior. Please help/clue to solve.
> 
>>> www.2dd.it/articoli/sicurezza-informatica/ipsec-installation/#.U7UnPbdvZY8
> 
>>> Jul 1 12:00:12 vpneye charon: 13[ENC] received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
>>> Jul 1 12:00:12 vpneye charon: 13[ENC] received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
>>> Jul 1 12:00:12 vpneye charon: 13[ENC] received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
>>> Jul 1 12:00:12 vpneye charon: 13[IKE] received Cisco Unity vendor ID
>>> Jul 1 12:00:12 vpneye charon: 13[IKE] ignoring certificate request without data
>>> Jul 1 12:00:12 vpneye charon: 13[IKE] 11.12.13.18 is initiating a Aggressive Mode IKE_SA
>>> Jul 1 12:00:12 vpneye charon: 13[CFG] looking for RSA signature peer configs matching 11.12.13.15...11.12.13.18[C=IN, ST=TN, O=BUGBRAINS, OU=IT, CN=MILEYCYRUS, E=arvindhar at gmail.com]
>>> Jul 1 12:00:12 vpneye charon: 13[IKE] no peer config found
>>> Jul 1 12:00:12 vpneye charon: 13[ENC] generating INFORMATIONAL_V1 request 152362081 [ N(AUTH_FAILED) ]
>>> Jul 1 12:00:12 vpneye charon: 13[NET] sending packet: from 11.12.13.15[500] to 11.12.13.18[500] (56 bytes)
> 
>>> Thank you,
>>> s.s.arvindhar
> 
> 
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
> 
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTto44AAoJEDg5KY9j7GZYPu4P/01arsFSjwLQ5oNswJZfKMwR
kI+k3klD4+LXnGZ7/IFFsSHanflGiUEFmS6xz3focp7G0NxU/cbxd0GW+gFGKBIp
hShNTy6Id/xVOXObz4ozsQAVCit+SfMXoyD/3Vfhx/eHw8PjoRYiR+Y29DO8TA5z
wf70LKuS1Q+tFTn/f1xANtUPwH6s3BwIjZ1/TIAtdiCvuiFQ3Q7iznAmzBB3Nhlu
KUSPjSG9E8rg0rRbmWfc+MPg9qrwen9gIq93PJYr1lS19T6sgofZk6ZEAVW4cu6c
Ab+8nNWwegqfqoTXPMUjyaV2aO1epAjC79Wr2gdlDPds0zOImnyl4B2f3R3Cmoui
z5GFGKh12uYE03jHBUTNVt3FOBgtKMv236PAhh5aFS1YtV8h4uzImMqGM94gG+Aq
sL9ZVDsoik5Sx9Rdy2oDxrd/PvpJ/veYqw8YQlFwdFPIWWA2ICOG/jTzNSj/7fn/
iwOuyQU04yg+lcUHBKF7ozVJXkObxyz/6XD1erL41vw6s4TI6pLvAHnri1TKzI+p
XQYXAQHvgVfGkr6igD4fk3bwh+gCB6nz5auE5M7/fYI0V+RAirGRiWkfGIS68HLl
sTqsuVKcZXyQZJaiaiNtr4aLWyBThSiELYTD7MQeK44qG8nfQob2MPHSGXO3dztM
jGTfz3tFn7CNCL6xy/kb
=mEai
-----END PGP SIGNATURE-----


More information about the Users mailing list