[strongSwan] Reg : Protocal specific encryption in Strongswan 5.3
Sindhu S. (sins)
sins at cisco.com
Thu Oct 8 07:54:27 CEST 2015
Hi Noel,
Below code encrypts all the packets on eth1 interface.
Code:
leftsubnet=%dynamic[]
rightsubnet=%dynamic[]
type=transport
Listening IP addresses:
10.64.69.118
2001:db8:0:f101::2
fd08:2eef:c2ee:0:aabb:cc00:c900:11
fd08:2eef:c2ee:0:aabb:cc00:c900:31
fd08:2fff:c2ee:0:aabb:cc00:c900:2
Connections:
snbi_new_ipv6: fe80::20c:29ff:fea8:e174%eth1...fe80::20c:29ff:feb2:ae2f%eth1 IKEv2
snbi_new_ipv6: local: [fe80::20c:29ff:fea8:e174] uses pre-shared key authentication
snbi_new_ipv6: remote: [fe80::20c:29ff:feb2:ae2f] uses pre-shared key authentication
snbi_new_ipv6: child: dynamic === dynamic TRANSPORT
Security Associations (1 up, 0 connecting):
snbi_new_ipv6[1]: ESTABLISHED 38 seconds ago, fe80::20c:29ff:fea8:e174[fe80::20c:29ff:fea8:e174]...fe80::20c:29ff:feb2:ae2f[fe80::20c:29ff:feb2:ae2f]
snbi_new_ipv6[1]: IKEv2 SPIs: 608f1bced89f05fa_i 705b6afabeeaafd6_r*, pre-shared key reauthentication in 23 hours
snbi_new_ipv6[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_512/MODP_1024
snbi_new_ipv6{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c9966614_i cffeac08_o
snbi_new_ipv6{1}: AES_CBC_128, 436 bytes_i (7 pkts, 3s ago), 436 bytes_o (7 pkts, 3s ago), rekeying in 55 minutes
snbi_new_ipv6{1}: fe80::20c:29ff:fea8:e174/128 === fe80::20c:29ff:feb2:ae2f/128
I want Only GRE packets on eth1 should get encrypt, So I added
Code:
leftsubnet=%dynamic[gre]
rightsubnet=%dynamic[gre]
type=transport
But now,Packets are not getting encrypted and also ping is not working.
Listening IP addresses:
10.64.69.118
2001:db8:0:f101::2
fd08:2eef:c2ee:0:aabb:cc00:c900:11
fd08:2eef:c2ee:0:aabb:cc00:c900:31
fd08:2fff:c2ee:0:aabb:cc00:c900:2
Connections:
snbi_new_ipv6: fe80::20c:29ff:fea8:e174%eth1...fe80::20c:29ff:feb2:ae2f%eth1 IKEv2
snbi_new_ipv6: local: [fe80::20c:29ff:fea8:e174] uses pre-shared key authentication
snbi_new_ipv6: remote: [fe80::20c:29ff:feb2:ae2f] uses pre-shared key authentication
snbi_new_ipv6: child: dynamic[gre] === dynamic[gre] TRANSPORT
Security Associations (1 up, 0 connecting):
snbi_new_ipv6[1]: ESTABLISHED 56 seconds ago, fe80::20c:29ff:fea8:e174[fe80::20c:29ff:fea8:e174]...fe80::20c:29ff:feb2:ae2f[fe80::20c:29ff:feb2:ae2f]
snbi_new_ipv6[1]: IKEv2 SPIs: 4aabd666d01b2aae_i 76b8b8d4769906e9_r*, pre-shared key reauthentication in 23 hours
snbi_new_ipv6[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_512/MODP_1024
snbi_new_ipv6{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c7f2305d_i cb2e9d34_o
snbi_new_ipv6{1}: AES_CBC_128, 0 bytes_i, 0 bytes_o, rekeying in 53 minutes
snbi_new_ipv6{1}: fe80::20c:29ff:fea8:e174/128[gre] === fe80::20c:29ff:feb2:ae2f/128[gre]
Thanks,
Sindhu
-----Original Message-----
From: Noel Kuntze [mailto:noel at familie-kuntze.de]
Sent: Wednesday, October 07, 2015 4:37 PM
To: Sindhu S. (sins); users at lists.strongswan.org
Subject: Re: [strongSwan] Reg : Protocal specific encryption in Strongswan 5.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Sindhu,
A good first step is change your ESP
settings to the default value
esp=aes,sha!
> snbi_new_ipv6{1}: fe80::20c:29ff:fea8:e174/128[gre] === fe80::20c:29ff:feb2:ae2f/128[gre]
The tunnel is up.
That's probably no longer a configuration issue.
- --
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWFPzSAAoJEDg5KY9j7GZYjMAP/11z1u/UHFJ1Szg7YUISSkLO
WRYp5M3taxa0BUo5U6sdnPE43WhUkNk3nEKg6yP77LziecfYKKiPkH0oYwq30/3N
lXqrLK9bZdmd0LTayUN7hmJgavpLTB4GO/7gGzq/xLWzwSE+eoPrZY4Q4dvFmfa6
izIkJT5/aAKklDMfZ2PmCtD6R5qoijxgwnpqvHYO4zjWZ/3/31Zc6mUFu/lVNNp4
zXeXaaU+DKKktyKwbUiVGZ/K6NScAfK6rxw1RTH8jRAc08rRg71xMU4/skmRxFjE
DsGxRMLWDGtxzXwZZGRSn43ucNUh1R0Xqw0aXcRGopHhRrjuYex8lpd5sY+MCO1n
zbCDunE6xFeHZb3WywlRsCd+qiidkOFyYIh4gDwzUQyD9lEwj4De7B9E2Org5D7l
iNJhLw0s5T2nUYliwf0gPon4FKX8PF/Is8kR7qyjGMqsSwRFgTOLEeiPMcRwvkx6
wUVR/WY5mIG2s/7daUXYTtkao2dRhnZRbWta5Ghjm8Mp0l0q6D9tvQu/KnXiwcEH
Zw9EeQnxeEmHK5cCU9YHecO6xDdzOnGvJ45RQXRPqR7BZnb2kjrbs66zML4qZfOk
K8eQNQVCSHxZ9y4X5s5XDXfJpzMgGKRjijWqvEu2p9166vRlpXzz3XuiMQS7Q58Y
xqWqPdfvU5qvXWOWyv7w
=dKIk
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151008/94f99a99/attachment-0001.html>
More information about the Users
mailing list