[strongSwan] xauth forced in site-to-site

Alexandre DEPREZ alex at madrouter.com
Fri Jun 5 19:29:50 CEST 2015 

Randy,

I'll change if there is no other possibilities.

As for the link you gave me, thank you for it. I did a lot of digging in
the documentation I could read. So far, nothing seems to work.


Noel,

version 2.0

config setup
        charonstart=no
        interfaces="%none"
        nat_traversal=no

conn clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn private-or-clear
        auto=ignore

conn private
        auto=ignore

conn block
        auto=ignore

conn packetdefault
        auto=ignore

conn %default
        keyexchange=ikev1

conn tunnel-1
        left=a.a.a.a
        right=b.b.b.b
        leftsubnet=10.252.243.128/28
        rightsubnet=172.23.149.0/24
        leftsourceip=a.a.a.a
        ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
        ikelifetime=86400s
        dpddelay=15s
        dpdtimeout=30s
        dpdaction=restart
        esp=aes256-sha1!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        authby=secret
        pfs=no
        compress=no
        auto=start
        keyingtries=%forever


Also, I didnt get the imaginary configuration option part ?

Thanks




On Fri, Jun 5, 2015 at 7:20 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Alexandre,
>
> Please stop trying to use some imaginary configuration options and stick
> to those
> on the man page of ipsec.conf.
>
> What is your complete ipsec.conf? Pay attention to conn %default, if you
> have that,
> as it will beqeust its own options to _all_ other conns.
>
>
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ:
> > Hi Randy,
> >
> > I forgot to mention, i'm using this version:
> >
> > Linux strongSwan U4.5.2/K3.2.0-4-amd64
> >
> > Here is it :
> >
> > conn tunnel-1
> >         left=a.a.a.a
> >         right=b.b.b.b
> >         leftsubnet=10.252.243.128/28 <http://10.252.243.128/28>
> >         rightsubnet=172.23.149.0/24 <http://172.23.149.0/24>
> >         leftsourceip=a.a.a.a
> >         ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
> >         ikelifetime=86400s
> >         dpddelay=15s
> >         dpdtimeout=30s
> >         dpdaction=restart
> >         esp=aes256-sha1!
> >         keylife=3600s
> >         rekeymargin=540s
> >         type=tunnel
> >         authby=secret
> >         pfs=no
> >         compress=no
> >         auto=start
> >         keyingtries=%forever
> >
> > I also tried to use
> >
> >         leftxauthclient=no
> >         rightxauthserver=no
> >
> > No changes.
> >
> > Thanks
> >
> >
> >
> >
> >
> > On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <rwwyatt01 at gmail.com
> <mailto:rwwyatt01 at gmail.com>> wrote:
> >
> >     Please send a sanitized version of your configuration.  xauth should
> only be sent if you configured it to be sent.
> >
> >     On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ <alex at madrouter.com
> <mailto:alex at madrouter.com>> wrote:
> >
> >         Hi,
> >
> >         I'm using strongswan only for L2L VPN.
> >
> >         It's been some times now, I can not be the initiator of the VPN
> because strongswan is always sending an XAUTH option in the phase 1
> establishment.
> >
> >         When the other side is not configured to receive remote user,
> it's working but when it is, I'm receiving L2TP/IPsec or some other remote
> access vpn protocols.
> >
> >         I can not wait for the other side to send me trafic in order to
> be the responder. I tried to recompile strongswan removing xauth, but it's
> not working.
> >
> >         Is there any configuration command I can use to force strongswan
> not to send XAUTH ?
> >
> >         Thanks
> >
> >         Alex
> >
> >
> >
> >
> >
> >
> >         _______________________________________________
> >         Users mailing list
> >         Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >         https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> >
> >     --
> >     Randy W. Wyatt
> >     rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>
> >     Home: 858-309-5303 <tel:858-309-5303>
> >     Cell: 858-598-4421 <tel:858-598-4421>
> >     Fax: 858-408-7554 <tel:858-408-7554>
> >
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVcdpuAAoJEDg5KY9j7GZYAiQP+QHal5QcmqYAJjujqR9K4/NC
> cFc/Z534PtAp6nie8FD3oD5h1445eSgCQTmZk5eIr05dJJbnvljEk8T7Mbz7n2gX
> MMqkhhPMTQ8Avh5inwYRrYy+IcFMxpzC/8cIGVh+y+rXB4At0PkyXe2BRBI6yHFD
> tqf4ICjH6igJB4/K7iUM7sbCPmONhY9gw0s0PpVCCTNfbthXJT8rUvUOZGIjH7ij
> kLpQg6qur1uRydjCf+sEc1IwvtqQn/yqEylyq7m6ZvKLniv2HcZXnCpx/4fx5+9I
> Js7Z0kY5LOkxbCBXovdGMq2hiWtaT79OOq6SDX13Y35Qzg35E8kCHPzr9ZKoWwPl
> MxfC118jGldQunFUKKkxCfFbs3Wk2zKuL7Jim69Rt5ZUkG7AcurjpxtKSai0Ykx7
> NtSzw/HHSJSP7BtTlvqSlPObvYwToCGrCpulBicQpILCSRh7z5Bfs4c0QqYORAFL
> fEqPI1DIkc6eouOQlVq0xyRyrWWsEHdp925IFYwUMtv84weznCjgTFxu0lMn0Qfu
> h0xRPnMbgyV+9cl0ep7vLIlXfA0wj/2q2YYS4YDZzeGT4xrHFBBdgdBmpr+zmyBS
> UG68nxM9WBPZA8cPitBVJvoqVOIqaSqPgkhMOXr4HRBDNfUwmAFgP54UUPog/FeG
> yxdpnj70XGOy/vOvV72e
> =R3S5
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150605/73d2b963/attachment.html>

More information about the Users mailing list