[strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]
Noel Kuntze
noel at familie-kuntze.de
Sun Jul 19 22:32:53 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Tomek,
Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very slow.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 19.07.2015 um 13:34 schrieb tomek_byd:
> I don't know how to write the correct config file for the connection. My config is a conglomeration of many examples from the Internet. So far I havn't had contact with IPsec. I'm under the control of TL-ER6120 and OpenWRT so I can make changes on both devices. I see the error "IDr payload missing" but parameter "leftid" is set in the config file.
>
> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
>
> TL-ER6120 configuration:
> IKE Proposal: MD5, 3DES, DH2
> IKE Policy:
> Exchange Mode: main,
> Local ID Type: FQDN,
> Local ID: A.A.A.A
> Remote ID Type: FQDN
> Remote ID: B.B.B.B
> Pre-shared Key: XXXXXX
> SA Lifetime: 28800
> DPD: Disable
> IPsec Proposal: ESP, MD5, 3DES
> IPsec Policy:
> Mode: LAN-to-LAN
> Local Subnet: 192.168.1.0/24
> Remote Subnet: 192.168.2.0/24
> WAN: WAN1
> Remote Gateway: B.B.B.B
> Policy Mode: IKE
> PFS: DH2
> SA Lifetime: 28800
>
> OpenWRT configuration:
> /etc/ipsec.conf:
> config setup
> # strictcrlpolicy = no
> # uniqueids = no
> conn somename
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> type=tunnel
> authby=secret
> ike=3des-md5-modp1024!
> esp=3des-md5!
> rekey=no
> left=B.B.B.B
> leftid=B.B.B.B
> leftsubnet=192.168.2.0/24
> leftauth=psk
> right=A.A.A.A
> rightid=A.A.A.A
> rightsubnet=192.168.1.0/24
> rightauth=psk
> dpdaction=none
> auto=add
> mobike=no
> /etc/ipsec.secrets
> A.A.A.A : PSK "XXXXXX"
> B.B.B.B : PSK "XXXXXX"
>
> Output:
> root at SomeWRT:~# ipsec up somename
> no files found matching '/etc/strongswan.d/*.conf'
> initiating IKE_SA somename[1] to A.A.A.A
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
> local host is behind NAT, sending keep alives
> remote host is behind NAT
> authentication of 'B.B.B.B' (myself) with pre-shared key
> establishing CHILD_SA somename
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
> IDr payload missing
> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
> establishing connection 'somename' failed
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVrAl0AAoJEDg5KY9j7GZYzA4QAJaMsDMGmUTy3zw26s+3UBbg
t8HUb4PeqkVOcAPN6eoKD7cElOfltyEFVeQzkPo3zfFUFAwxMQV/rHpy34YByU9X
uFHVTxmYcxeWQKHewajIsahhD2ks05fu31agczOzWqpunZT/X0tGECI4rFG/dUFa
wKkKf030C92e80PSQMnirNHVVQKreCc1B+gXCBGkkyFaSsTN+gNd8rae7VRAaJdw
88XyaI1Xkfk+59rKcnXBdLl071es12Dj36CTCWHQx3styN9VAxXFvoBBJGR3gTwU
pDaG283ZEB+Dg7hEDWy0Q2ZEKPw5c8Ln20eY6KongDIF01L3FH4LJT0dxNkt5R3I
9xTa/apQeCASTNFHMNCSkANmvSOu6JbcaNUB4jlm90gLMOBXx7q17I9M23jaAoHL
7CJuSZudAfNPzUFgAngww4AIF2Fl3EdtcJv3En47IWcx2dMhd07eghTpqaZb8pzI
Kcwz0IuQbGGTWw1R7czvheKkOz9JZQGmtz+Hdh+mSJynpgkzz7SSzRqAH6MV0Dmk
0Nem+FJpow5bVDVP96jRKWdgdf+obZ2ppjuxlTeS3j+CfPdOOOi6e6iYKo7RFjOL
qUUPvGwnQtO3H+U55CEkG14Bfg96MQqxQ8kxNztuoSf59aCoYKu4kmBps0mCwFmI
7QiHscwnx9SV7O05feeH
=B9Uu
-----END PGP SIGNATURE-----
More information about the Users
mailing list