[strongSwan] xauth forced in site-to-site
Noel Kuntze
noel at familie-kuntze.de
Fri Jun 5 19:35:03 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Alexandre,
These options don't exist:
leftxauthclient=no
rightxauthserver=no
You described using those in one of your last emails.
What is the config on the other side?
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 05.06.2015 um 19:29 schrieb Alexandre DEPREZ:
> Randy,
>
> I'll change if there is no other possibilities.
>
> As for the link you gave me, thank you for it. I did a lot of digging in the documentation I could read. So far, nothing seems to work.
>
>
> Noel,
>
> version 2.0
>
> config setup
> charonstart=no
> interfaces="%none"
> nat_traversal=no
>
> conn clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn private
> auto=ignore
>
> conn block
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> conn %default
> keyexchange=ikev1
>
> conn tunnel-1
> left=a.a.a.a
> right=b.b.b.b
> leftsubnet=10.252.243.128/28 <http://10.252.243.128/28>
> rightsubnet=172.23.149.0/24 <http://172.23.149.0/24>
> leftsourceip=a.a.a.a
> ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
> ikelifetime=86400s
> dpddelay=15s
> dpdtimeout=30s
> dpdaction=restart
> esp=aes256-sha1!
> keylife=3600s
> rekeymargin=540s
> type=tunnel
> authby=secret
> pfs=no
> compress=no
> auto=start
> keyingtries=%forever
>
>
> Also, I didnt get the imaginary configuration option part ?
>
> Thanks
>
>
>
>
> On Fri, Jun 5, 2015 at 7:20 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Alexandre,
>
> Please stop trying to use some imaginary configuration options and stick to those
> on the man page of ipsec.conf.
>
> What is your complete ipsec.conf? Pay attention to conn %default, if you have that,
> as it will beqeust its own options to _all_ other conns.
>
>
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ:
> > Hi Randy,
>
> > I forgot to mention, i'm using this version:
>
> > Linux strongSwan U4.5.2/K3.2.0-4-amd64
>
> > Here is it :
>
> > conn tunnel-1
> > left=a.a.a.a
> > right=b.b.b.b
> > leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> <http://10.252.243.128/28>
> > rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> <http://172.23.149.0/24>
> > leftsourceip=a.a.a.a
> > ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
> > ikelifetime=86400s
> > dpddelay=15s
> > dpdtimeout=30s
> > dpdaction=restart
> > esp=aes256-sha1!
> > keylife=3600s
> > rekeymargin=540s
> > type=tunnel
> > authby=secret
> > pfs=no
> > compress=no
> > auto=start
> > keyingtries=%forever
>
> > I also tried to use
>
> > leftxauthclient=no
> > rightxauthserver=no
>
> > No changes.
>
> > Thanks
>
>
>
>
>
> > On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com> <mailto:rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>>> wrote:
>
> > Please send a sanitized version of your configuration. xauth should only be sent if you configured it to be sent.
>
> > On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ <alex at madrouter.com <mailto:alex at madrouter.com> <mailto:alex at madrouter.com <mailto:alex at madrouter.com>>> wrote:
>
> > Hi,
>
> > I'm using strongswan only for L2L VPN.
>
> > It's been some times now, I can not be the initiator of the VPN because strongswan is always sending an XAUTH option in the phase 1 establishment.
>
> > When the other side is not configured to receive remote user, it's working but when it is, I'm receiving L2TP/IPsec or some other remote access vpn protocols.
>
> > I can not wait for the other side to send me trafic in order to be the responder. I tried to recompile strongswan removing xauth, but it's not working.
>
> > Is there any configuration command I can use to force strongswan not to send XAUTH ?
>
> > Thanks
>
> > Alex
>
>
>
>
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
> > --
> > Randy W. Wyatt
> > rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com> <mailto:rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>>
> > Home: 858-309-5303 <tel:858-309-5303> <tel:858-309-5303 <tel:858-309-5303>>
> > Cell: 858-598-4421 <tel:858-598-4421> <tel:858-598-4421 <tel:858-598-4421>>
> > Fax: 858-408-7554 <tel:858-408-7554> <tel:858-408-7554 <tel:858-408-7554>>
>
>
>
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVcd3FAAoJEDg5KY9j7GZYL74P/j6DkBsYDrRHMnz/GXRf3Zp8
nh4lP69UwtikWftw0LZFtpXJCrARa/4R3bX7E7vEGnwW5Gt0aTtx4PJEPGffS+Oy
KfDdcivIZhVL8GAGb6USYbpygcvzb1syoGOHj+6GTOVgTykHJr4eLxtCnIpNBXcg
fJexVxkZX6ETI13zXXh9Ysis1B14BSustWAxODuSJf3BbTvjMB+1rdpWsKnx3xR4
sIVagIAdLeRoShFfCNj37JzfcwufKGqJ8OiyZrkIFR8Xv3JW1BaBMymTyWzy+aGj
WpBXlrLrXhYTftwYZ+CcjxmJMNUs+i+bP3dYZlZFKFyIxlG6WyhHYwd4s5IjzAaX
6Sh6G7lpJLSSDcT+Wkvi06sLUvf+j8hT1cDyJUwVQkpcQGc6ibqZuAvDE+R+hGHG
7l4qJri2HU6xOlUmNju+lbkGlQnKkdbqLwIC6WNXD1nvRWBnYgYsUVEzhfdliO2x
+OK8c/RSQAwDTiBi0BkZe1vP1uQ++w7/cB2ydEuHTPNbN37JDYByPop0oB9WRz92
4VsfhJ2ZgVptAPi9AEnLWak7ziIJljdFykokpm0Ee4YFfZEEJm8kZjryzcULYTFW
fF9Zgnl6pKOYH5BIzEX0wbkcDkFImtXN3CqjTHmjZraC2RFxkL+DnsjlM8bs9jmu
7n7QSIDcWhrXQdAOhVuV
=RpI6
-----END PGP SIGNATURE-----
More information about the Users
mailing list