[strongSwan] L2TP over strongswan

Noel Kuntze noel at familie-kuntze.de
Mon Apr 27 23:42:53 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Randy,

On RHEL like platforms, the "ipsec" tool is actually called "ipsec" and usually, only libreswan is available from the repos.
Also, configuration files are in /etc/strongswan/.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.04.2015 um 23:41 schrieb Randy Wyatt:
> Rajiv,
>   Thank you for your help.
>
> There were a couple of issues.
> 1.) Don't use the Fedora Package.  It is missing several critical components such as ipsec.  The logging output was also different.
> 2.) The ultimate problem was with the PSK.
> I know have xl2tpd/Strongswan up and running.
>
> On Mon, Apr 27, 2015 at 12:05 PM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com <mailto:rajivkulkarni69 at gmail.com>> wrote:
>
>     why dont you try the below sample configs please:
>
>     On L2TP-Server
>     ===============
>     # /etc/ipsec.conf - strongSwan IPsec configuration file
>
>     config setup
>         strictcrlpolicy=no
>         crlcheckinterval=180
>
>     conn %default
>         ikelifetime=30m
>         keylife=15m
>         rekeymargin=3m
>         keyingtries=1
>         mobike=no
>         dpdaction=clear
>         dpddelay=30
>         dpdtimeout=120
>
>     conn mainconn
>         left=2.2.2.2
>         leftprotoport=17/1701
>         right=%any
>         rightprotoport=17/1701
>         authby=secret
>         type=transport
>         keyexchange=ikev1
>         auto=add
>
>     # /etc/ipsec.secrets - strongSwan IPsec secrets file
>     : PSK "123456"
>
>     On the L2TP-Client
>     ===================
>     # /etc/ipsec.conf - strongSwan IPsec configuration file
>
>     config setup
>         strictcrlpolicy=no
>       
>     conn %default
>         ikelifetime=30m
>         keylife=15m
>         rekeymargin=3m
>         keyingtries=1
>         mobike=no
>         dpdaction=restart
>         dpddelay=30
>         dpdtimeout=120
>       
>     conn topeergwconnection
>         left=1.1.1.2
>         leftprotoport=17/1701
>         right=2.2.2.2
>         rightprotoport=17/1701
>         authby=secret
>         type=transport
>         keyexchange=ikev1
>         auto=route
>
>     # /etc/ipsec.secrets - strongSwan IPsec secrets file
>     : PSK "123456"
>
>     =======================================
>
>     There is NO leftsubnet, on either server or the client, to be mentioned as its a transport mode tunnel (using udp/1701, the l2tp port, as the selector)
>
>     thanks & regards
>     Rajiv
>
>
>
>
>
>     On Mon, Apr 27, 2015 at 10:51 PM, Randy Wyatt <rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>> wrote:
>
>         I am trying to setup a roadwarrior L2TP server using strongswan as the ipsec layer.
>
>         I keep running into the following error message in the logs:
>
>         pr 27 13:15:59 Saturn charon: 11[NET] received packet: from client1[12117
>         ] to server1[500] (408 bytes)
>         Apr 27 13:15:59 Saturn charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
>         Apr 27 13:15:59 Saturn charon: 11[IKE] no IKE config found for server1...client1, sending NO_PROPOSAL_CHOSEN
>
>         The configuration in ipsec is as follows:
>         [root at Saturn log]# cat /etc/ipsec.conf
>         config setup
>                 cachecrls=yes
>                 strictcrlpolicy=yes
>                 charondebug="ike 2, knl 3, cfg 2"
>
>         conn %default
>                 keyingtries=1
>                 keyexchange=ike
>
>         conn roadwarrior
>                 type=transport
>                 authby=secret
>                 pfs=yes
>                 rekey=no
>                 left=server1
>                 leftsubnet=172.17.1.0/24 <http://172.17.1.0/24>
>                 leftprotoport=1701
>                 right=%any
>                 rightprotoport=1701
>                 auto=add
>
>          cat /etc/ipsec.secrets
>         server1 %any : PSK "mypsk"
>
>
>         Any ideas on What I am doing wrong?
>
>         Regards,
>         Randy
>         --
>         Randy W. Wyatt
>         rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>
>         Home: 858-309-5303 <tel:858-309-5303>
>         Cell: 858-598-4421 <tel:858-598-4421>
>         Fax: 858-408-7554 <tel:858-408-7554>
>            
>
>
>         _______________________________________________
>         Users mailing list
>         Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>         https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
> --
> Randy W. Wyatt
> rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>
> Home: 858-309-5303
> Cell: 858-598-4421
> Fax: 858-408-7554
>    
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list