[strongSwan] Fwd: Re: FritzBox to Strongswan
post at daniel-pomrehn.de
post at daniel-pomrehn.de
Fri Nov 25 10:34:20 CET 2016
Hi!
Am 2016-11-24 20:35, schrieb Mirko Parthey:
> On Thu, Nov 24, 2016 at 06:11:18PM +0100, post at daniel-pomrehn.de wrote:
>> >>I'm trying to connect a FritzBox to a Strongswan Linux Server.
>> >>But I get the following error: no IKE config found for
>> >>138.201.84.186...77.11.69.219, sending NO_PROPOSAL_CHOSE
>> >
>> >Please check the server's logfile for "received proposals" and
>> >"configured proposals".
>>
>> which logging options will I have to set? I can't find any proposals
>> message
>> in the logs.
>
> in /etc/ipsec.conf:
> config setup
> charondebug = "cfg 2"
>
> or in /etc/strongswan.d/charon-logging.conf (modify as you like it):
> charon {
> filelog {
> /tmp/charon.log {
> cfg = 2
> }
> }
> }
Thank you very much! I have attached the log to this e-Mail.
I did some further google research and changed some settings. Now I get
another error:
sending packet: from 127.0.1.1[500] to 77.13.29.160[500] (1188 bytes)
sending packet: from 127.0.1.1[500] to 77.13.29.160[500]
error writing to socket: Invalid argument
77.13.29.160 is the IP of the fritzbox and the dyndns name is pointing
to.
This is my latest ipsec.conf:
config setup
charondebug="ike 2, knl 2, cfg 2, net 2"
conn fritz2swan
ike=aes128-sha-modp1024
esp=aes128-sha1
right=dyn.fritzbox
rightid=@dyn.fritzbox
rightsubnet=192.168.1.0/24
left=srv.strongswan
leftsubnet=192.168.50.0/24
authby=secret
ikelifetime=4h
keylife=1h
auto=add
My Fritzbox Config looks like:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "srv.strongswan";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "srv.strongswan";
localid {
fqdn = "dyn.fritzbox";
}
remoteid {
fqdn = "srv.strongswan";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "verysecret";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.1.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.50.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.50.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
>
>> >Can the server resolve the DNS name of the FritzBox to its
>> >current IP address?
>>
>> Yes, it can be reached.
>
> I meant you should resolve the FritzBox name to an IP address.
> Run this on the server:
> $ host dyn.fritzbox
> dyn.fritzbox has address a.b.c.d
> Then initiate a connection from the FritzBox and check the server logs
> if the connection originates from a.b.c.d or from a different address.
>
I checked it. host dyn.fritzbox gives the same address which is send
from the fritzbox.
> Which strongSwan version are running?
> You may have to update.
> I had a similar setup working with strongSwan 5.5.0.
I did a update to Strongswan 5.5.1.
>
> Which FritzBox? Does it have the latest firmware installed?
It is a fritzbox 7490 with the latest Firmware 6.60
>
> It would be easier to help you if you provided logfiles!
See complet logfile attached.
>
> Regards
> Mirko
Best regards
Daniel
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161125/d586fd64/attachment-0001.txt>
More information about the Users
mailing list