[strongSwan] L2TP over strongswan
Noel Kuntze
noel at familie-kuntze.de
Mon Apr 27 23:42:53 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Randy,
On RHEL like platforms, the "ipsec" tool is actually called "ipsec" and usually, only libreswan is available from the repos.
Also, configuration files are in /etc/strongswan/.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 27.04.2015 um 23:41 schrieb Randy Wyatt:
> Rajiv,
> Thank you for your help.
>
> There were a couple of issues.
> 1.) Don't use the Fedora Package. It is missing several critical components such as ipsec. The logging output was also different.
> 2.) The ultimate problem was with the PSK.
> I know have xl2tpd/Strongswan up and running.
>
> On Mon, Apr 27, 2015 at 12:05 PM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com <mailto:rajivkulkarni69 at gmail.com>> wrote:
>
> why dont you try the below sample configs please:
>
> On L2TP-Server
> ===============
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> strictcrlpolicy=no
> crlcheckinterval=180
>
> conn %default
> ikelifetime=30m
> keylife=15m
> rekeymargin=3m
> keyingtries=1
> mobike=no
> dpdaction=clear
> dpddelay=30
> dpdtimeout=120
>
> conn mainconn
> left=2.2.2.2
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/1701
> authby=secret
> type=transport
> keyexchange=ikev1
> auto=add
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
> : PSK "123456"
>
> On the L2TP-Client
> ===================
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> strictcrlpolicy=no
>
> conn %default
> ikelifetime=30m
> keylife=15m
> rekeymargin=3m
> keyingtries=1
> mobike=no
> dpdaction=restart
> dpddelay=30
> dpdtimeout=120
>
> conn topeergwconnection
> left=1.1.1.2
> leftprotoport=17/1701
> right=2.2.2.2
> rightprotoport=17/1701
> authby=secret
> type=transport
> keyexchange=ikev1
> auto=route
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
> : PSK "123456"
>
> =======================================
>
> There is NO leftsubnet, on either server or the client, to be mentioned as its a transport mode tunnel (using udp/1701, the l2tp port, as the selector)
>
> thanks & regards
> Rajiv
>
>
>
>
>
> On Mon, Apr 27, 2015 at 10:51 PM, Randy Wyatt <rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>> wrote:
>
> I am trying to setup a roadwarrior L2TP server using strongswan as the ipsec layer.
>
> I keep running into the following error message in the logs:
>
> pr 27 13:15:59 Saturn charon: 11[NET] received packet: from client1[12117
> ] to server1[500] (408 bytes)
> Apr 27 13:15:59 Saturn charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
> Apr 27 13:15:59 Saturn charon: 11[IKE] no IKE config found for server1...client1, sending NO_PROPOSAL_CHOSEN
>
> The configuration in ipsec is as follows:
> [root at Saturn log]# cat /etc/ipsec.conf
> config setup
> cachecrls=yes
> strictcrlpolicy=yes
> charondebug="ike 2, knl 3, cfg 2"
>
> conn %default
> keyingtries=1
> keyexchange=ike
>
> conn roadwarrior
> type=transport
> authby=secret
> pfs=yes
> rekey=no
> left=server1
> leftsubnet=172.17.1.0/24 <http://172.17.1.0/24>
> leftprotoport=1701
> right=%any
> rightprotoport=1701
> auto=add
>
> cat /etc/ipsec.secrets
> server1 %any : PSK "mypsk"
>
>
> Any ideas on What I am doing wrong?
>
> Regards,
> Randy
> --
> Randy W. Wyatt
> rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>
> Home: 858-309-5303 <tel:858-309-5303>
> Cell: 858-598-4421 <tel:858-598-4421>
> Fax: 858-408-7554 <tel:858-408-7554>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
> --
> Randy W. Wyatt
> rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>
> Home: 858-309-5303
> Cell: 858-598-4421
> Fax: 858-408-7554
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list