[strongSwan] xauth forced in site-to-site

Alexandre DEPREZ alex at madrouter.com
Fri Jun 5 19:39:41 CEST 2015


yes, true, they are for openswan, my bad.

I do not have a hand on the other side. Can't tell

On Fri, Jun 5, 2015 at 7:35 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Alexandre,
>
> These options don't exist:
>         leftxauthclient=no
>         rightxauthserver=no
> You described using those in one of your last emails.
> What is the config on the other side?
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 05.06.2015 um 19:29 schrieb Alexandre DEPREZ:
> > Randy,
> >
> > I'll change if there is no other possibilities.
> >
> > As for the link you gave me, thank you for it. I did a lot of digging in
> the documentation I could read. So far, nothing seems to work.
> >
> >
> > Noel,
> >
> > version 2.0
> >
> > config setup
> >         charonstart=no
> >         interfaces="%none"
> >         nat_traversal=no
> >
> > conn clear
> >         auto=ignore
> >
> > conn clear-or-private
> >         auto=ignore
> >
> > conn private-or-clear
> >         auto=ignore
> >
> > conn private
> >         auto=ignore
> >
> > conn block
> >         auto=ignore
> >
> > conn packetdefault
> >         auto=ignore
> >
> > conn %default
> >         keyexchange=ikev1
> >
> > conn tunnel-1
> >         left=a.a.a.a
> >         right=b.b.b.b
> >         leftsubnet=10.252.243.128/28 <http://10.252.243.128/28>
> >         rightsubnet=172.23.149.0/24 <http://172.23.149.0/24>
> >         leftsourceip=a.a.a.a
> >         ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
> >         ikelifetime=86400s
> >         dpddelay=15s
> >         dpdtimeout=30s
> >         dpdaction=restart
> >         esp=aes256-sha1!
> >         keylife=3600s
> >         rekeymargin=540s
> >         type=tunnel
> >         authby=secret
> >         pfs=no
> >         compress=no
> >         auto=start
> >         keyingtries=%forever
> >
> >
> > Also, I didnt get the imaginary configuration option part ?
> >
> > Thanks
> >
> >
> >
> >
> > On Fri, Jun 5, 2015 at 7:20 PM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
> >
> >
> > Hello Alexandre,
> >
> > Please stop trying to use some imaginary configuration options and stick
> to those
> > on the man page of ipsec.conf.
> >
> > What is your complete ipsec.conf? Pay attention to conn %default, if you
> have that,
> > as it will beqeust its own options to _all_ other conns.
> >
> >
> >
> > Mit freundlichen Grüßen/Kind Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ:
> > > Hi Randy,
> >
> > > I forgot to mention, i'm using this version:
> >
> > > Linux strongSwan U4.5.2/K3.2.0-4-amd64
> >
> > > Here is it :
> >
> > > conn tunnel-1
> > >         left=a.a.a.a
> > >         right=b.b.b.b
> > >         leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> <
> http://10.252.243.128/28>
> > >         rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> <
> http://172.23.149.0/24>
> > >         leftsourceip=a.a.a.a
> > >         ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
> > >         ikelifetime=86400s
> > >         dpddelay=15s
> > >         dpdtimeout=30s
> > >         dpdaction=restart
> > >         esp=aes256-sha1!
> > >         keylife=3600s
> > >         rekeymargin=540s
> > >         type=tunnel
> > >         authby=secret
> > >         pfs=no
> > >         compress=no
> > >         auto=start
> > >         keyingtries=%forever
> >
> > > I also tried to use
> >
> > >         leftxauthclient=no
> > >         rightxauthserver=no
> >
> > > No changes.
> >
> > > Thanks
> >
> >
> >
> >
> >
> > > On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <rwwyatt01 at gmail.com
> <mailto:rwwyatt01 at gmail.com> <mailto:rwwyatt01 at gmail.com <mailto:
> rwwyatt01 at gmail.com>>> wrote:
> >
> > >     Please send a sanitized version of your configuration.  xauth
> should only be sent if you configured it to be sent.
> >
> > >     On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ <
> alex at madrouter.com <mailto:alex at madrouter.com> <mailto:alex at madrouter.com
> <mailto:alex at madrouter.com>>> wrote:
> >
> > >         Hi,
> >
> > >         I'm using strongswan only for L2L VPN.
> >
> > >         It's been some times now, I can not be the initiator of the
> VPN because strongswan is always sending an XAUTH option in the phase 1
> establishment.
> >
> > >         When the other side is not configured to receive remote user,
> it's working but when it is, I'm receiving L2TP/IPsec or some other remote
> access vpn protocols.
> >
> > >         I can not wait for the other side to send me trafic in order
> to be the responder. I tried to recompile strongswan removing xauth, but
> it's not working.
> >
> > >         Is there any configuration command I can use to force
> strongswan not to send XAUTH ?
> >
> > >         Thanks
> >
> > >         Alex
> >
> >
> >
> >
> >
> >
> > >         _______________________________________________
> > >         Users mailing list
> > >         Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> > >         https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> >
> > >     --
> > >     Randy W. Wyatt
> > >     rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com> <mailto:
> rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>>
> > >     Home: 858-309-5303 <tel:858-309-5303> <tel:858-309-5303 <tel:
> 858-309-5303>>
> > >     Cell: 858-598-4421 <tel:858-598-4421> <tel:858-598-4421 <tel:
> 858-598-4421>>
> > >     Fax: 858-408-7554 <tel:858-408-7554> <tel:858-408-7554 <tel:
> 858-408-7554>>
> >
> >
> >
> >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >     _______________________________________________
> >     Users mailing list
> >     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >     https://lists.strongswan.org/mailman/listinfo/users
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVcd3FAAoJEDg5KY9j7GZYL74P/j6DkBsYDrRHMnz/GXRf3Zp8
> nh4lP69UwtikWftw0LZFtpXJCrARa/4R3bX7E7vEGnwW5Gt0aTtx4PJEPGffS+Oy
> KfDdcivIZhVL8GAGb6USYbpygcvzb1syoGOHj+6GTOVgTykHJr4eLxtCnIpNBXcg
> fJexVxkZX6ETI13zXXh9Ysis1B14BSustWAxODuSJf3BbTvjMB+1rdpWsKnx3xR4
> sIVagIAdLeRoShFfCNj37JzfcwufKGqJ8OiyZrkIFR8Xv3JW1BaBMymTyWzy+aGj
> WpBXlrLrXhYTftwYZ+CcjxmJMNUs+i+bP3dYZlZFKFyIxlG6WyhHYwd4s5IjzAaX
> 6Sh6G7lpJLSSDcT+Wkvi06sLUvf+j8hT1cDyJUwVQkpcQGc6ibqZuAvDE+R+hGHG
> 7l4qJri2HU6xOlUmNju+lbkGlQnKkdbqLwIC6WNXD1nvRWBnYgYsUVEzhfdliO2x
> +OK8c/RSQAwDTiBi0BkZe1vP1uQ++w7/cB2ydEuHTPNbN37JDYByPop0oB9WRz92
> 4VsfhJ2ZgVptAPi9AEnLWak7ziIJljdFykokpm0Ee4YFfZEEJm8kZjryzcULYTFW
> fF9Zgnl6pKOYH5BIzEX0wbkcDkFImtXN3CqjTHmjZraC2RFxkL+DnsjlM8bs9jmu
> 7n7QSIDcWhrXQdAOhVuV
> =RpI6
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150605/804dc472/attachment.html>


More information about the Users mailing list