[strongSwan] Fwd: Re: FritzBox to Strongswan

post at daniel-pomrehn.de post at daniel-pomrehn.de
Fri Nov 25 10:34:20 CET 2016


Hi!


Am 2016-11-24 20:35, schrieb Mirko Parthey:
> On Thu, Nov 24, 2016 at 06:11:18PM +0100, post at daniel-pomrehn.de wrote:
>> >>I'm trying to connect a FritzBox to a Strongswan Linux Server.
>> >>But I get the following error: no IKE config found for
>> >>138.201.84.186...77.11.69.219, sending NO_PROPOSAL_CHOSE
>> >
>> >Please check the server's logfile for "received proposals" and
>> >"configured proposals".
>> 
>> which logging options will I have to set? I can't find any proposals 
>> message
>> in the logs.
> 
> in /etc/ipsec.conf:
> config setup
> 	charondebug = "cfg 2"
> 
> or in /etc/strongswan.d/charon-logging.conf (modify as you like it):
> charon {
>     filelog {
>         /tmp/charon.log {
>             cfg = 2
>         }
>     }
> }

Thank you very much! I have attached the log to this e-Mail.


I did some further google research and changed some settings. Now I get 
another error:
sending packet: from 127.0.1.1[500] to 77.13.29.160[500] (1188 bytes)
   sending packet: from 127.0.1.1[500] to 77.13.29.160[500]
   error writing to socket: Invalid argument

77.13.29.160 is the IP of the fritzbox and the dyndns name is pointing 
to.



This is my latest ipsec.conf:
config setup
         charondebug="ike 2, knl 2, cfg 2, net 2"
conn fritz2swan
         ike=aes128-sha-modp1024
         esp=aes128-sha1
         right=dyn.fritzbox
         rightid=@dyn.fritzbox
         rightsubnet=192.168.1.0/24

         left=srv.strongswan
         leftsubnet=192.168.50.0/24
         authby=secret

         ikelifetime=4h
         keylife=1h

         auto=add


My Fritzbox Config looks like:
vpncfg {
         connections {
                 enabled = yes;
                 conn_type = conntype_lan;
                 name = "srv.strongswan";
                 always_renew = yes;
                 reject_not_encrypted = no;
                 dont_filter_netbios = yes;
                 localip = 0.0.0.0;
                 local_virtualip = 0.0.0.0;
                 remoteip = 0.0.0.0;
                 remote_virtualip = 0.0.0.0;
                 remotehostname = "srv.strongswan";
                 localid {
                         fqdn = "dyn.fritzbox";
                 }
                 remoteid {
                         fqdn = "srv.strongswan";
                 }
                 mode = phase1_mode_idp;
                 phase1ss = "all/all/all";
                 keytype = connkeytype_pre_shared;
                 key = "verysecret";
                 cert_do_server_auth = no;
                 use_nat_t = yes;
                 use_xauth = no;
                 use_cfgmode = no;
                 phase2localid {
                         ipnet {
                                 ipaddr = 192.168.1.0;
                                 mask = 255.255.255.0;
                         }
                 }
                 phase2remoteid {
                         ipnet {
                                 ipaddr = 192.168.50.0;
                                 mask = 255.255.255.0;
                         }
                 }
                 phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                 accesslist = "permit ip any 192.168.50.0 255.255.255.0";
         }
         ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                             "udp 0.0.0.0:4500 0.0.0.0:4500";
}



> 
>> >Can the server resolve the DNS name of the FritzBox to its
>> >current IP address?
>> 
>> Yes, it can be reached.
> 
> I meant you should resolve the FritzBox name to an IP address.
> Run this on the server:
> $ host dyn.fritzbox
>   dyn.fritzbox has address a.b.c.d
> Then initiate a connection from the FritzBox and check the server logs
> if the connection originates from a.b.c.d or from a different address.
> 


I checked it. host dyn.fritzbox gives the same address which is send 
from the fritzbox.


> Which strongSwan version are running?
> You may have to update.
> I had a similar setup working with strongSwan 5.5.0.

I did a update to Strongswan 5.5.1.

> 
> Which FritzBox? Does it have the latest firmware installed?

It is a fritzbox 7490 with the latest Firmware 6.60

> 
> It would be easier to help you if you provided logfiles!


See complet logfile attached.

> 
> Regards
> Mirko

Best regards
Daniel
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161125/d586fd64/attachment-0001.txt>


More information about the Users mailing list