[strongSwan] xauth forced in site-to-site
Randy Wyatt
rwwyatt01 at gmail.com
Fri Jun 5 19:44:20 CEST 2015
Can you post your logfile ?
The difference in configurations is the wiki has authby=secret in the
default connection whereas you have it in the individual connection.
Regards,
Randy
On Fri, Jun 5, 2015 at 10:39 AM, Alexandre DEPREZ <alex at madrouter.com>
wrote:
> yes, true, they are for openswan, my bad.
>
> I do not have a hand on the other side. Can't tell
>
> On Fri, Jun 5, 2015 at 7:35 PM, Noel Kuntze <noel at familie-kuntze.de>
> wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello Alexandre,
>>
>> These options don't exist:
>> leftxauthclient=no
>> rightxauthserver=no
>> You described using those in one of your last emails.
>> What is the config on the other side?
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 05.06.2015 um 19:29 schrieb Alexandre DEPREZ:
>> > Randy,
>> >
>> > I'll change if there is no other possibilities.
>> >
>> > As for the link you gave me, thank you for it. I did a lot of digging
>> in the documentation I could read. So far, nothing seems to work.
>> >
>> >
>> > Noel,
>> >
>> > version 2.0
>> >
>> > config setup
>> > charonstart=no
>> > interfaces="%none"
>> > nat_traversal=no
>> >
>> > conn clear
>> > auto=ignore
>> >
>> > conn clear-or-private
>> > auto=ignore
>> >
>> > conn private-or-clear
>> > auto=ignore
>> >
>> > conn private
>> > auto=ignore
>> >
>> > conn block
>> > auto=ignore
>> >
>> > conn packetdefault
>> > auto=ignore
>> >
>> > conn %default
>> > keyexchange=ikev1
>> >
>> > conn tunnel-1
>> > left=a.a.a.a
>> > right=b.b.b.b
>> > leftsubnet=10.252.243.128/28 <http://10.252.243.128/28>
>> > rightsubnet=172.23.149.0/24 <http://172.23.149.0/24>
>> > leftsourceip=a.a.a.a
>> > ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
>> > ikelifetime=86400s
>> > dpddelay=15s
>> > dpdtimeout=30s
>> > dpdaction=restart
>> > esp=aes256-sha1!
>> > keylife=3600s
>> > rekeymargin=540s
>> > type=tunnel
>> > authby=secret
>> > pfs=no
>> > compress=no
>> > auto=start
>> > keyingtries=%forever
>> >
>> >
>> > Also, I didnt get the imaginary configuration option part ?
>> >
>> > Thanks
>> >
>> >
>> >
>> >
>> > On Fri, Jun 5, 2015 at 7:20 PM, Noel Kuntze <noel at familie-kuntze.de
>> <mailto:noel at familie-kuntze.de>> wrote:
>> >
>> >
>> > Hello Alexandre,
>> >
>> > Please stop trying to use some imaginary configuration options and
>> stick to those
>> > on the man page of ipsec.conf.
>> >
>> > What is your complete ipsec.conf? Pay attention to conn %default, if
>> you have that,
>> > as it will beqeust its own options to _all_ other conns.
>> >
>> >
>> >
>> > Mit freundlichen Grüßen/Kind Regards,
>> > Noel Kuntze
>> >
>> > GPG Key ID: 0x63EC6658
>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> >
>> > Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ:
>> > > Hi Randy,
>> >
>> > > I forgot to mention, i'm using this version:
>> >
>> > > Linux strongSwan U4.5.2/K3.2.0-4-amd64
>> >
>> > > Here is it :
>> >
>> > > conn tunnel-1
>> > > left=a.a.a.a
>> > > right=b.b.b.b
>> > > leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> <
>> http://10.252.243.128/28>
>> > > rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> <
>> http://172.23.149.0/24>
>> > > leftsourceip=a.a.a.a
>> > > ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
>> > > ikelifetime=86400s
>> > > dpddelay=15s
>> > > dpdtimeout=30s
>> > > dpdaction=restart
>> > > esp=aes256-sha1!
>> > > keylife=3600s
>> > > rekeymargin=540s
>> > > type=tunnel
>> > > authby=secret
>> > > pfs=no
>> > > compress=no
>> > > auto=start
>> > > keyingtries=%forever
>> >
>> > > I also tried to use
>> >
>> > > leftxauthclient=no
>> > > rightxauthserver=no
>> >
>> > > No changes.
>> >
>> > > Thanks
>> >
>> >
>> >
>> >
>> >
>> > > On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <rwwyatt01 at gmail.com
>> <mailto:rwwyatt01 at gmail.com> <mailto:rwwyatt01 at gmail.com <mailto:
>> rwwyatt01 at gmail.com>>> wrote:
>> >
>> > > Please send a sanitized version of your configuration. xauth
>> should only be sent if you configured it to be sent.
>> >
>> > > On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ <
>> alex at madrouter.com <mailto:alex at madrouter.com> <mailto:alex at madrouter.com
>> <mailto:alex at madrouter.com>>> wrote:
>> >
>> > > Hi,
>> >
>> > > I'm using strongswan only for L2L VPN.
>> >
>> > > It's been some times now, I can not be the initiator of the
>> VPN because strongswan is always sending an XAUTH option in the phase 1
>> establishment.
>> >
>> > > When the other side is not configured to receive remote user,
>> it's working but when it is, I'm receiving L2TP/IPsec or some other remote
>> access vpn protocols.
>> >
>> > > I can not wait for the other side to send me trafic in order
>> to be the responder. I tried to recompile strongswan removing xauth, but
>> it's not working.
>> >
>> > > Is there any configuration command I can use to force
>> strongswan not to send XAUTH ?
>> >
>> > > Thanks
>> >
>> > > Alex
>> >
>> >
>> >
>> >
>> >
>> >
>> > > _______________________________________________
>> > > Users mailing list
>> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
>> > > https://lists.strongswan.org/mailman/listinfo/users
>> >
>> >
>> >
>> >
>> > > --
>> > > Randy W. Wyatt
>> > > rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com> <mailto:
>> rwwyatt01 at gmail.com <mailto:rwwyatt01 at gmail.com>>
>> > > Home: 858-309-5303 <tel:858-309-5303> <tel:858-309-5303 <tel:
>> 858-309-5303>>
>> > > Cell: 858-598-4421 <tel:858-598-4421> <tel:858-598-4421 <tel:
>> 858-598-4421>>
>> > > Fax: 858-408-7554 <tel:858-408-7554> <tel:858-408-7554 <tel:
>> 858-408-7554>>
>> >
>> >
>> >
>> >
>> >
>> > > _______________________________________________
>> > > Users mailing list
>> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> > > https://lists.strongswan.org/mailman/listinfo/users
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> > https://lists.strongswan.org/mailman/listinfo/users
>> >
>> >
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJVcd3FAAoJEDg5KY9j7GZYL74P/j6DkBsYDrRHMnz/GXRf3Zp8
>> nh4lP69UwtikWftw0LZFtpXJCrARa/4R3bX7E7vEGnwW5Gt0aTtx4PJEPGffS+Oy
>> KfDdcivIZhVL8GAGb6USYbpygcvzb1syoGOHj+6GTOVgTykHJr4eLxtCnIpNBXcg
>> fJexVxkZX6ETI13zXXh9Ysis1B14BSustWAxODuSJf3BbTvjMB+1rdpWsKnx3xR4
>> sIVagIAdLeRoShFfCNj37JzfcwufKGqJ8OiyZrkIFR8Xv3JW1BaBMymTyWzy+aGj
>> WpBXlrLrXhYTftwYZ+CcjxmJMNUs+i+bP3dYZlZFKFyIxlG6WyhHYwd4s5IjzAaX
>> 6Sh6G7lpJLSSDcT+Wkvi06sLUvf+j8hT1cDyJUwVQkpcQGc6ibqZuAvDE+R+hGHG
>> 7l4qJri2HU6xOlUmNju+lbkGlQnKkdbqLwIC6WNXD1nvRWBnYgYsUVEzhfdliO2x
>> +OK8c/RSQAwDTiBi0BkZe1vP1uQ++w7/cB2ydEuHTPNbN37JDYByPop0oB9WRz92
>> 4VsfhJ2ZgVptAPi9AEnLWak7ziIJljdFykokpm0Ee4YFfZEEJm8kZjryzcULYTFW
>> fF9Zgnl6pKOYH5BIzEX0wbkcDkFImtXN3CqjTHmjZraC2RFxkL+DnsjlM8bs9jmu
>> 7n7QSIDcWhrXQdAOhVuV
>> =RpI6
>> -----END PGP SIGNATURE-----
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
Randy W. Wyatt
rwwyatt01 at gmail.com
Home: 858-309-5303
Cell: 858-598-4421
Fax: 858-408-7554
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150605/aeb1343f/attachment-0001.html>
More information about the Users
mailing list