[strongSwan] xauth forced in site-to-site

Randy Wyatt rwwyatt01 at gmail.com
Fri Jun 5 19:17:13 CEST 2015 

1.) Do you need to stay on 4.5.2?  As per my understanding, it is quite
old.  The latest version is 5.3.0.
2.)  Do you have multiple tunnels on this unit with different
authentication methods?  The examples at
https://www.strongswan.org/uml/testresults4/ikev1/rw-psk-ipv4/  show authby
in the default connection.

Regards,
Randy

On Fri, Jun 5, 2015 at 10:07 AM, Alexandre DEPREZ <alex at madrouter.com>
wrote:

> Hi Randy,
>
> I forgot to mention, i'm using this version:
>
> Linux strongSwan U4.5.2/K3.2.0-4-amd64
>
> Here is it :
>
> conn tunnel-1
>         left=a.a.a.a
>         right=b.b.b.b
>         leftsubnet=10.252.243.128/28
>         rightsubnet=172.23.149.0/24
>         leftsourceip=a.a.a.a
>         ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
>         ikelifetime=86400s
>         dpddelay=15s
>         dpdtimeout=30s
>         dpdaction=restart
>         esp=aes256-sha1!
>         keylife=3600s
>         rekeymargin=540s
>         type=tunnel
>         authby=secret
>         pfs=no
>         compress=no
>         auto=start
>         keyingtries=%forever
>
> I also tried to use
>
>         leftxauthclient=no
>         rightxauthserver=no
>
> No changes.
>
> Thanks
>
>
>
>
>
> On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:
>
>> Please send a sanitized version of your configuration.  xauth should only
>> be sent if you configured it to be sent.
>>
>> On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ <alex at madrouter.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I'm using strongswan only for L2L VPN.
>>>
>>> It's been some times now, I can not be the initiator of the VPN because
>>> strongswan is always sending an XAUTH option in the phase 1 establishment.
>>>
>>> When the other side is not configured to receive remote user, it's
>>> working but when it is, I'm receiving L2TP/IPsec or some other remote
>>> access vpn protocols.
>>>
>>> I can not wait for the other side to send me trafic in order to be the
>>> responder. I tried to recompile strongswan removing xauth, but it's not
>>> working.
>>>
>>> Is there any configuration command I can use to force strongswan not to
>>> send XAUTH ?
>>>
>>> Thanks
>>>
>>> Alex
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>>
>> --
>> Randy W. Wyatt
>> rwwyatt01 at gmail.com
>> Home: 858-309-5303
>> Cell: 858-598-4421
>> Fax: 858-408-7554
>>
>
>


-- 
Randy W. Wyatt
rwwyatt01 at gmail.com
Home: 858-309-5303
Cell: 858-598-4421
Fax: 858-408-7554
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150605/cb2ba6a5/attachment-0001.html>

More information about the Users mailing list