[strongSwan] Equivalent strongswan settings for racoon config

cellkites at hushmail.com cellkites at hushmail.com
Mon Sep 22 10:08:23 CEST 2014


Replying to my own message again - I sorted the issue, it was a
problem with the traffic selectors. "ipsec stroke loglevel cfg 4"
allowed me to id the problem.

On 22/9/2014 at 2:03 PM, cellkites at hushmail.com wrote:Ok, well kind of
replying to my own question here but i seem to have progressed a
little further. By removing the rightid parameter it selects the
correct config and reports the SA as established but it never moves to
an installed state and i receive the following log messages. Does
anyone have any ideas where the problem might lie?

conn test
        keyexchange=ikev1
        left=x.x.x.x
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        right=%any
        rightsourceip=192.168.1.0/24
        auto=add
        compress=yes
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        leftauth=psk
        rightauth=psk
        type=tunnel

charon: 16[NET] received packet: from y.y.y.y[500] to x.x.x.x[500]
(164 bytes)
charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V ]
charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02n vendor ID
charon:16[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
charon: 16[IKE] y.y.y.y is initiating a Main Mode IKE_SA
charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
charon: 16[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (136
bytes)
charon: 15[NET] received packet: from y.y.y.y[500] to x.x.x.x[500]
(228 bytes)
charon: 15[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 15[IKE] local host is behind NAT, sending keep alives
charon: 15[IKE] remote host is behind NAT
charon: 15[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon: 15[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (244
bytes)
charon: 11[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500]
(76 bytes)
charon: 11[ENC] parsed ID_PROT request 0 [ ID HASH ]
charon: 11[CFG] looking for pre-shared key peer configs matching
x.x.x.x...y.y.y.y[z.z.z.z]
charon: 11[CFG] selected peer config "test"
charon: 11[IKE] IKE_SA test[4331] established between
x.x.x.x[x.x.x.x]...y.y.y.y[z.z.z.z]
charon: 11[IKE] scheduling reauthentication in 3244s
charon: 11[IKE] maximum IKE_SA lifetime 3424s
charon: 11[ENC] generating ID_PROT response 0 [ ID HASH ]
charon: 11[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500]
(76 bytes)
charon: 09[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500]
(92 bytes)
charon: 09[ENC] parsed INFORMATIONAL_V1 request 3154582366 [ HASH
N(INITIAL_CONTACT) ]
charon: 13[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500]
(156 bytes)
charon: 13[ENC] parsed QUICK_MODE request 4000683564 [ HASH SA No ID
ID ]
charon: 13[IKE] no matching CHILD_SA config found
charon: 13[ENC] generating INFORMATIONAL_V1 request 2885462951 [ HASH
N(INVAL_ID) ]
charon: 13[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500]
(76 bytes)
charon: 10[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500]
(156 bytes)
charon: 10[IKE] received retransmit of request with ID 4000683564, but
no response to retransmit

On 20/9/2014 at 8:48 AM, cellkites at hushmail.com wrote:Apologies,
cutting and pasting must have mangled the email, here's my ipsec.conf

conn test
        keyexchange=ikev1
        left=x.x.x.x
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        right=%any
        rightid=test at test.com
        rightsourceip=192.168.100.0/24
        auto=add
        compress=yes
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        authby=secret

and ipsec.secrets

x.x.x.x test at test.com : PSK "password"

and here's the log entries i get;

charon: 12[CFG] looking for pre-shared key peer configs matching
x.x.x.x...y.y.y.y[z.z.z.z]
charon: 12[IKE] no peer config found
charon: 12[ENC] generating INFORMATIONAL_V1 request 3091113035 [ HASH
N(AUTH_FAILED) ]
charon: 12[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500]
(92 bytes)
x.x.x.x - is my private internal ip
y.y.y.y - the initiators public ip
z.z.z.z - is the initiators internal private ip

On 19/9/2014 at 4:48 PM, "Martin Willi"  wrote:Hi,

> It's seems fairly straightforward however I am continually
> getting the error "no ike config found".

> conn test
>     keyexchange=ikev1
>     nat_traversal=yes

nat_traversal is not a conn specific option, and has been deprecated
with 5.x.

>    left=x.x.x.x 

Usually you define the right side as remote, so set right to the peers
address. If you set left, set it to a local address to use.

Further, you may add something like:
  ike=aes128-sha1-modp1024!
  esp=aes-sha1!
  rightid=test at test.com

Also you probably need a leftid for your local peer, and put your
password in ipsec.secrets.

Please include a log excerpt of your connection attempt if it doesn't
work.

Regards
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140922/f3a88c6a/attachment-0001.html>


More information about the Users mailing list