[strongSwan] Equivalent strongswan settings for racoon config
cellkites at hushmail.com
cellkites at hushmail.com
Mon Sep 22 08:04:05 CEST 2014
Ok, well kind of replying to my own question here but i seem to have
progressed a little further. By removing the rightid parameter it
selects the correct config and reports the SA as established but it
never moves to an installed state and i receive the following log
messages. Does anyone have any ideas where the problem might lie?
conn test
keyexchange=ikev1
left=x.x.x.x
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightsourceip=192.168.1.0/24
auto=add
compress=yes
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
leftauth=psk
rightauth=psk
type=tunnel
charon: 16[NET] received packet: from y.y.y.y[500] to x.x.x.x[500]
(164 bytes)
charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V ]
charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02n vendor ID
charon:16[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
charon: 16[IKE] y.y.y.y is initiating a Main Mode IKE_SA
charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
charon: 16[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (136
bytes)
charon: 15[NET] received packet: from y.y.y.y[500] to x.x.x.x[500]
(228 bytes)
charon: 15[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 15[IKE] local host is behind NAT, sending keep alives
charon: 15[IKE] remote host is behind NAT
charon: 15[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon: 15[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (244
bytes)
charon: 11[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500]
(76 bytes)
charon: 11[ENC] parsed ID_PROT request 0 [ ID HASH ]
charon: 11[CFG] looking for pre-shared key peer configs matching
x.x.x.x...y.y.y.y[z.z.z.z]
charon: 11[CFG] selected peer config "test"
charon: 11[IKE] IKE_SA test[4331] established between
x.x.x.x[x.x.x.x]...y.y.y.y[z.z.z.z]
charon: 11[IKE] scheduling reauthentication in 3244s
charon: 11[IKE] maximum IKE_SA lifetime 3424s
charon: 11[ENC] generating ID_PROT response 0 [ ID HASH ]
charon: 11[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500]
(76 bytes)
charon: 09[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500]
(92 bytes)
charon: 09[ENC] parsed INFORMATIONAL_V1 request 3154582366 [ HASH
N(INITIAL_CONTACT) ]
charon: 13[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500]
(156 bytes)
charon: 13[ENC] parsed QUICK_MODE request 4000683564 [ HASH SA No ID
ID ]
charon: 13[IKE] no matching CHILD_SA config found
charon: 13[ENC] generating INFORMATIONAL_V1 request 2885462951 [ HASH
N(INVAL_ID) ]
charon: 13[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500]
(76 bytes)
charon: 10[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500]
(156 bytes)
charon: 10[IKE] received retransmit of request with ID 4000683564, but
no response to retransmit
On 20/9/2014 at 8:48 AM, cellkites at hushmail.com wrote:Apologies,
cutting and pasting must have mangled the email, here's my ipsec.conf
conn test
keyexchange=ikev1
left=x.x.x.x
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightid=test at test.com
rightsourceip=192.168.100.0/24
auto=add
compress=yes
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
authby=secret
and ipsec.secrets
x.x.x.x test at test.com : PSK "password"
and here's the log entries i get;
charon: 12[CFG] looking for pre-shared key peer configs matching
x.x.x.x...y.y.y.y[z.z.z.z]
charon: 12[IKE] no peer config found
charon: 12[ENC] generating INFORMATIONAL_V1 request 3091113035 [ HASH
N(AUTH_FAILED) ]
charon: 12[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500]
(92 bytes)
x.x.x.x - is my private internal ip
y.y.y.y - the initiators public ip
z.z.z.z - is the initiators internal private ip
On 19/9/2014 at 4:48 PM, "Martin Willi" wrote:Hi,
> It's seems fairly straightforward however I am continually
> getting the error "no ike config found".
> conn test
> keyexchange=ikev1
> nat_traversal=yes
nat_traversal is not a conn specific option, and has been deprecated
with 5.x.
> left=x.x.x.x
Usually you define the right side as remote, so set right to the peers
address. If you set left, set it to a local address to use.
Further, you may add something like:
ike=aes128-sha1-modp1024!
esp=aes-sha1!
rightid=test at test.com
Also you probably need a leftid for your local peer, and put your
password in ipsec.secrets.
Please include a log excerpt of your connection attempt if it doesn't
work.
Regards
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140922/acfe05cd/attachment.html>
More information about the Users
mailing list