[strongSwan] xauth forced in site-to-site
Noel Kuntze
noel at familie-kuntze.de
Fri Jun 5 19:20:52 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Alexandre,
Please stop trying to use some imaginary configuration options and stick to those
on the man page of ipsec.conf.
What is your complete ipsec.conf? Pay attention to conn %default, if you have that,
as it will beqeust its own options to _all_ other conns.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ:
> Hi Randy,
>
> I forgot to mention, i'm using this version:
>
> Linux strongSwan U4.5.2/K3.2.0-4-amd64
>
> Here is it :
>
> conn tunnel-1
> left=a.a.a.a
> right=b.b.b.b
> leftsubnet=10.252.243.128/28 <http://10.252.243.128/28>
> rightsubnet=172.23.149.0/24 <http://172.23.149.0/24>
> leftsourceip=a.a.a.a
> ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
> ikelifetime=86400s
> dpddelay=15s
> dpdtimeout=30s
> dpdaction=restart
> esp=aes256-sha1!
> keylife=3600s
> rekeymargin=540s
> type=tunnel
> authby=secret
> pfs=no
> compress=no
> auto=start
> keyingtries=%forever
>
> I also tried to use
>
> leftxauthclient=no
> rightxauthserver=no
>
> No changes.
>
> Thanks
>
>
>
>
>
> On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>> wrote:
>
> Please send a sanitized version of your configuration. xauth should only be sent if you configured it to be sent.
>
> On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ <alex at madrouter.com <mailto:alex at madrouter.com>> wrote:
>
> Hi,
>
> I'm using strongswan only for L2L VPN.
>
> It's been some times now, I can not be the initiator of the VPN because strongswan is always sending an XAUTH option in the phase 1 establishment.
>
> When the other side is not configured to receive remote user, it's working but when it is, I'm receiving L2TP/IPsec or some other remote access vpn protocols.
>
> I can not wait for the other side to send me trafic in order to be the responder. I tried to recompile strongswan removing xauth, but it's not working.
>
> Is there any configuration command I can use to force strongswan not to send XAUTH ?
>
> Thanks
>
> Alex
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
> --
> Randy W. Wyatt
> rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>
> Home: 858-309-5303 <tel:858-309-5303>
> Cell: 858-598-4421 <tel:858-598-4421>
> Fax: 858-408-7554 <tel:858-408-7554>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVcdpuAAoJEDg5KY9j7GZYAiQP+QHal5QcmqYAJjujqR9K4/NC
cFc/Z534PtAp6nie8FD3oD5h1445eSgCQTmZk5eIr05dJJbnvljEk8T7Mbz7n2gX
MMqkhhPMTQ8Avh5inwYRrYy+IcFMxpzC/8cIGVh+y+rXB4At0PkyXe2BRBI6yHFD
tqf4ICjH6igJB4/K7iUM7sbCPmONhY9gw0s0PpVCCTNfbthXJT8rUvUOZGIjH7ij
kLpQg6qur1uRydjCf+sEc1IwvtqQn/yqEylyq7m6ZvKLniv2HcZXnCpx/4fx5+9I
Js7Z0kY5LOkxbCBXovdGMq2hiWtaT79OOq6SDX13Y35Qzg35E8kCHPzr9ZKoWwPl
MxfC118jGldQunFUKKkxCfFbs3Wk2zKuL7Jim69Rt5ZUkG7AcurjpxtKSai0Ykx7
NtSzw/HHSJSP7BtTlvqSlPObvYwToCGrCpulBicQpILCSRh7z5Bfs4c0QqYORAFL
fEqPI1DIkc6eouOQlVq0xyRyrWWsEHdp925IFYwUMtv84weznCjgTFxu0lMn0Qfu
h0xRPnMbgyV+9cl0ep7vLIlXfA0wj/2q2YYS4YDZzeGT4xrHFBBdgdBmpr+zmyBS
UG68nxM9WBPZA8cPitBVJvoqVOIqaSqPgkhMOXr4HRBDNfUwmAFgP54UUPog/FeG
yxdpnj70XGOy/vOvV72e
=R3S5
-----END PGP SIGNATURE-----
More information about the Users
mailing list