[strongSwan] Succesful IPSec connection, but how to access computer on other side?

Noel Kuntze noel at familie-kuntze.de
Tue Jun 9 17:54:55 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Nicolas,

Output of "route" or "ifconfig" is useless. Please only post output
that "iproute2" produces. E.g: ip route, ip address

The connection doesn't get initiated correctly. The other side deletes the IKE SA
after it gets established:

>received packet: from 83.136.y.y[500] to 176.94.x.x[500] (108 bytes)
>parsed INFORMATIONAL_V1 request 2733943088 [ HASH D ]
>received DELETE for IKE_SA union[1]
>deleting IKE_SA union[1] between 176.94.x.x[176.94.x.x]...83.136.y.y[83.136.y.y]
>initiating Main Mode IKE_SA union[2] to 83.136.y.y

Examine the other side and find out why that happens.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 09.06.2015 um 14:11 schrieb Nicolas Göddel:
> Hi,
>
> I am new to the topic VPN, IPSec, route, iptables, etc.
>
> I have the scenario mentioned in the attachment. My IPSec Gateway is a Lubuntu with two network interfaces. eth0 is connected to the internal LAN. There is a switch which connects a few Windows computers with a Cisco RV042 router and the Lubuntu (IPSec Gateway). The Cisco gives internet acces over a fast internet connection and has DHCP enabled so that all Windows computers get their IP address from this router and are able to use internet. At the moment Lubuntu is configured to a static IP within the Subnet 192.168.1.0/24. On eth1 there is connected a second modem with the static IP 176.94.x.x which should be used to create a Site-to-Site IPSec connection to an other company.
>
> _route looks like this:_
>
> root at vpn-server:~# LANG=C route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> default         business-176-09 0.0.0.0         UG    0      0        0 eth1
> 176.94.52.88    *               255.255.255.248 U     1      0        0 eth1
> 192.168.1.0     *               255.255.255.0   U     1      0        0 eth0
>
> _This /etc/ipsec.conf__:_
>
> config setup
>         charondebug="cfg 2, dmn 2, ike 2, net 2"
>
> conn %default
>
> conn union
>         left=176.94.x.x
>         leftsubnet=10.100.1.0/24
>         leftsourceip=10.100.1.1
>         leftfirewall=yes
>         right=83.136.y.y
>         rightsubnet=10.251.0.0/16
>         auto=add
>         ikelifetime=24h
>         lifetime=1h
>         type=tunnel
>         lifebytes=4718592000
>         ike=aes256-sha256-modp2048
>         esp=aes256-sha256-modp2048
>         authby=psk
>         keyexchange=ikev1
>         lefthostaccess=yes
>
> _This is /etc/strongswan.conf__:_
>
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>         }
> }
>
> include strongswan.d/*.conf
>
> _This is ifconfig -a:_
>
> root at vpn-server:~# ifconfig -a
> eth0      Link encap:Ethernet  Hardware Adresse c4:6e:1f:06:10:90
>           inet Adresse:192.168.1.152  Bcast:192.168.1.255  Maske:255.255.255.0
>           inet6-Adresse: fe80::c66e:1fff:fe06:1090/64 Gültigkeitsbereich:Verbindung
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
>           RX-Pakete:1355634 Fehler:0 Verloren:360 Überläufe:0 Fenster:0
>           TX-Pakete:12684 Fehler:0 Verloren:0 Überläufe:0 Träger:0
>           Kollisionen:0 Sendewarteschlangenlänge:1000
>           RX-Bytes:113088435 (113.0 MB)  TX-Bytes:1505232 (1.5 MB)
>
> eth1      Link encap:Ethernet  Hardware Adresse 00:1b:fc:90:80:51
>           inet Adresse:176.94.x.x  Bcast:176.94.x.x  Maske:255.255.255.248
>           inet6-Adresse: fe80::21b:fcff:xxxx:xxxx/64 Gültigkeitsbereich:Verbindung
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
>           RX-Pakete:1955017 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
>           TX-Pakete:1898517 Fehler:0 Verloren:0 Überläufe:0 Träger:0
>           Kollisionen:0 Sendewarteschlangenlänge:1000
>           RX-Bytes:472209413 (472.2 MB)  TX-Bytes:443885596 (443.8 MB)
>
> lo        Link encap:Lokale Schleife
>           inet Adresse:127.0.0.1  Maske:255.0.0.0
>           inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
>           UP LOOPBACK RUNNING  MTU:65536  Metrik:1
>           RX-Pakete:10137 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
>           TX-Pakete:10137 Fehler:0 Verloren:0 Überläufe:0 Träger:0
>           Kollisionen:0 Sendewarteschlangenlänge:0
>           RX-Bytes:1341831 (1.3 MB)  TX-Bytes:1341831 (1.3 MB)
>
> _This is starting ipsec:_
>
> root at vpn-server:~# ipsec start
> Starting strongSwan 5.1.2 IPsec [starter]...
> root at vpn-server:~# ipsec up union
> initiating Main Mode IKE_SA union[1] to 83.136.y.y
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (196 bytes)
> received packet: from 83.136.y.y[500] to 176.94.x.x[500] (108 bytes)
> parsed ID_PROT response 0 [ SA V ]
> received NAT-T (RFC 3947) vendor ID
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (396 bytes)
> received packet: from 83.136.y.y[500] to 176.94.x.x[500] (456 bytes)
> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
> received Cisco Unity vendor ID
> received DPD vendor ID
> received unknown vendor ID: 75:37:a8:c7:39:54:ff:f2:a8:f6:8d:a3:d4:0b:63:11
> received XAuth vendor ID
> generating ID_PROT request 0 [ ID HASH ]
> sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (92 bytes)
> received packet: from 83.136.y.y[500] to 176.94.x.x[500] (92 bytes)
> parsed ID_PROT response 0 [ ID HASH ]
> IKE_SA union[1] established between 176.94.x.x[176.94.x.x]...83.136.y.y[83.136.y.y]
> scheduling reauthentication in 85375s
> maximum IKE_SA lifetime 85915s
> generating TRANSACTION request 247522367 [ HASH CPRQ(ADDR DNS) ]
> sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (92 bytes)
> received packet: from 83.136.y.y[500] to 176.94.x.x[500] (108 bytes)
> parsed INFORMATIONAL_V1 request 2733943088 [ HASH D ]
> received DELETE for IKE_SA union[1]
> deleting IKE_SA union[1] between 176.94.x.x[176.94.x.x]...83.136.y.y[83.136.y.y]
> initiating Main Mode IKE_SA union[2] to 83.136.y.y
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (196 bytes)
> connection 'union' established successfully
> root at vpn-server:~# ipsec status
> Security Associations (1 up, 0 connecting):
>        union[1627]: CONNECTING, 176.94.x.x[%any]...83.136.y.y[%any]
>
> Now I want to be able to ping the computer on the other side with the IP address 10.251.232.75 from Lubuntu. What have I to do?
> Later I want to be able to connect from any Windows PC to the 10.251.232.75. What have I to do then?
> I can assume that the other side is configured correctly, so that I should be able to ping 10.251.232.75 from my side. But first I have to do things right on my side.
>
> I thought strongswan would create a virtual interface like openvpn does. I guess this way I would be able to use this virtual interface as gateway to the VPN/IPSec tunnel.
> What do I need, where can I read about this scenario? Do you need more information?
>
> Thank you!
>
> --
> ——————————————————————————————————————————————
> Homepage: http://freakscorner.de
> Facebook: http://www.facebook.com/Bastelkeller
> Twitter: http://twitter.com/freaks_corner
> Youtube: http://youtube.com/tubenic86
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVdwxNAAoJEDg5KY9j7GZY3wMP/RGXlP38hnx/KkvdTu1+jBgB
9e/aEYgEqS3XeTYCu5th0DGJccrNeFXSS1o9xUx+iEr85j+Z8Wwdp8lxiqhPuRu1
VqkR6p3Wu7b4Vf+WxLdyCQkv74fRaZzHBejRXX4lNidKsTwwp0QXk++dnsu3V+wy
dhUbpmJcfEtVRYaCfHWoF7kF9Kxi3KNAqDFjDDf7+FP8YS7pieqAjhhB/yPAD1Tc
5e2BVkMYUYVkSEGBWDgJGoZEkT5TuR218F2M/nXgJQZev+rkflns/bnwdBagrrYt
laLqXT9pORzjCYfG1Y+j1RNNOGOQCad7KLD+IX2i++13Zm/yjZv5w+fiVMnnRsfE
JTffz0PyPjgLNojc5oMhmlNIMhY5MEW7S0pzB+V7XTIsgQS/z4ttAnId7qMnrf+1
robIKrJGqv2B7eK3bLLMKlEVr6lOkDWNg1LzrDmdUqr2nliYH856UD2WIIEHBA4H
XAfSxvssuSPHa7QDzO8s7qn/KxYAAEmqaaMiZ5xFWAwu6VuAhwr6h08NDNmt3naR
jmhSx0q/2PorJoaA5QuFzxv6JK86mGZptlqr7sUhtxR+GyTuRprtOq50gY8tfB2d
PnjopAbsmVRuR+vvShqBczFD6/f7RG19Yqn7yJdyYqURQIyRdpU3IWYZk8ndGEd0
vv6tR5EQyl3l9vKFbjlR
=i5Tc
-----END PGP SIGNATURE-----



More information about the Users mailing list