[strongSwan] vpn clients (cisco/shrewsoft and other cisco unity clients) connectivity issues with Strongswan-v5.2.1
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Sun May 3 23:24:48 CEST 2015
Hello Martin,
Sorry for replying and acknowledging and reporting the results so late in
the day.
Yes!!! your advice and solution was spot-on and worked . For the benefit of
other users and future reference for info. Iam posting the sample configs
used at both Server-side (vpn/roadwarrior-server for unity-supported
clients and also a commented out section which can be used for other std
vpn clients, etc) and Client-side.
These samples include other conf (plugins) used on the server side and the
client side. Hopefully this info should be of some help
Thanks once again for your kind help
=======================================
On Server-side sample config
ipsec.conf
------------
#/etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
charondebug="ike 1, knl 1, cfg 1"
conn %default
ikelifetime=8h
keylife=3h
rekeymargin=9m
keyingtries=1
mobike=no
dpddelay=30s
dpdtimeout=120s
dpdaction=clear
conn cscovpnclients1
aggressive=yes
left=1.1.1.3
leftsubnet=192.168.2.0/24,172.16.0.0/16
leftid=@vpnsrv1.svttest.com
leftauth=psk
right=%any
rightsourceip=192.168.219.0/24
rightauth=psk
rightauth2=xauth
keyexchange=ikev1
ike=aes256-sha1-modp1024
esp=aes128-sha1
xauth=server
modeconfig=pull
auto=add
#
#conn otherclients1
# left=1.1.1.3
# leftsubnet=0.0.0.0/0
# leftid=@vpnsrv2.svttest.com
# leftauth=psk
# right=%any
# rightsourceip=192.168.220.0/24
# rightauth=psk
# rightauth2=xauth
# keyexchange=ikev1
# ike=aes128-sha1-modp1024
# esp=aes128-sha1
# xauth=server
# modeconfig=pull
# auto=add
-------------------
ipsec.secrets
------------------
#/etc/ipsec.secrets - strongSwan IPsec secrets file
@vpnsrv1.svttest.com @remotclient.svttest.com : PSK "123456789"
@vpnsrv2.svttest.com @otherclient.svttest.com : PSK "123456"
user1 : XAUTH "config123"
user2 : XAUTH "config1234"
user3 : XAUTH "config12345"
testuser1 : XAUTH "4iChxLT3"
testuser2 : XAUTH "ryftzG4A"
-------------------
attr.conf
--------------------
# Section to specify arbitrary attributes that are assigned to a peer via
# configuration payload (CP).
attr {
# <attr> is an attribute name or an integer, values can be an IP
address,
# subnet or arbitrary value.
# <attr> =
dns = 192.168.2.20, 192.168.2.21
nbns = 172.16.1.2, 172.16.1.3
# the attribute for local-lan networks to be excluded from tunneling on
the client
# #split-exclude = 10.0.0.0/8, 172.31.1.0/24
# the attribute for backup-server ipaddresses
28681 = 10.232.90.122, 10.232.90.124
# the attribute for default-domain name for the connected client
28674 = svt1test.com
# the attribute for split-dns domain names for the connected client
28675 = svt1test.com svt2test.com
# the attribute for unity banner name for the connected client
28672 = "Welcome ...You are Connected"
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
}
------------------
charon.conf
------------------
enable/uncoment the below 2 options in this file on server
cisco_unity = yes
i_dont_care_about_security_and_use_aggressive_mode_psk = yes
--------------
unity.conf
-------------
unity {
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
}
=================================
On client -side (a Gw running say Strongswan as a client)
---------------------------------------------------------------------
ipsec.conf
-------------
#/etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
charondebug="ike 1, knl 1, cfg 1"
conn %default
ikelifetime=8h
keylife=3h
rekeymargin=9m
keyingtries=1
mobike=no
dpddelay=30s
dpdtimeout=120s
dpdaction=clear
conn csvpnclnt1
aggressive=yes
left=1.1.1.2
leftid=@remoteclient.svttest.com
leftsourceip=%config
leftauth=psk
leftauth2=xauth
right=1.1.1.3
rightid=@vpnsrv1.svttest.com
rightauth=psk
keyexchange=ikev1
ike=aes256-sha1-modp1024
esp=aes128-sha1
modeconfig=pull
xauth=client
xauth_identity=user1
auto=start
---------------
ipsec.secrets
----------------
#/etc/ipsec.secrets - strongSwan IPsec secrets file
@remotclient.svttest.com @vpnsrv1.svttest.com : PSK "123456789"
user1 : XAUTH "config123"
------------------
charon.conf
------------------
enable/uncoment the below 2 options in this file on server
cisco_unity = yes
i_dont_care_about_security_and_use_aggressive_mode_psk = yes
--------------
unity.conf
-------------
unity {
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
}
----------
resolve.conf
--------------------
uncomment the below line in this plugin file
file = /etc/resolv.conf
===============================================
thanks & regards
rajiv
On Thu, Dec 4, 2014 at 3:01 PM, Martin Willi <martin at strongswan.org> wrote:
> Hi,
>
> > leftsubnet=192.168.2.0/24,172.16.0.0/16
>
> Are you using the unity plugin to negotiate multiple subnets in IKEv1?
>
> > modeconfig=push
>
> Which of your clients is using push mode? Most of them probably use pull
> mode, and you must have the correct mode configured on the used
> strongSwan connection for each client.
>
> > 1. Quick mode is failing when i use shrew-soft-vpn clients (and the
> server
> > is configured with cisco unity extensions in the attr.conf file)
>
> It seems that it fails because of the wrong modeconfig configuration:
> Mode Config is triggered twice in your log, once in push and once in
> pull mode. Try to set modeconfig=pull, refer to [1] for details.
>
> Regards
> Martin
>
> [1]https://wiki.strongswan.org/issues/764#note-12
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150504/aaee1586/attachment-0001.html>
More information about the Users
mailing list