[strongSwan] Don't know where to start

Rene Maurer rmnet at mailc.net
Tue Apr 25 19:05:59 CEST 2017 

Hello Noel

On 25.04.2017 12:50, Noel Kuntze wrote:

Thank you very much for answering!

> "left=%config" doesn't make sense. %config is neither a known keyword nor a valid resolvable hostname.
> If your routing table is sane and specifies the source IPs for the routes, you don't need to set this at all.

Thanks again. This is ok now.
Routing is as follows:

# ip route show table 220
10.4.30.0/24 via xxx.137.25.195 dev ppp0  proto static src 10.4.48.1

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.4.48.0       0.0.0.0         255.255.240.0   U     0      0        0 eth0

And as already said:
>> # net.ipv4.ip_forward = 1
>> # iptables -t nat -A POSTROUTING -o ppp0 -j ACCEPT
>> # iptables -A FORWARD -i eth0 -j ACCEPT

> Make sure you use the right IKE version.
Ok. Switch uses "IKEv2 only mode" and I use "keyexchange=ikev2".

> Check if the packets arrive at the switch.
My partner (at remote site) can do this tomorrow.

But when I look at the log on my site together with
"tcpdump -i ppp0", I have the impression that ikev2_auth
is sent (once).

----------------------------------------------------------------------
Apr 25 16:32:28 daemon.info syslog: 05[IKE] establishing CHILD_SA home{1}
Apr 25 16:32:28 authpriv.info syslog: 05[IKE] establishing CHILD_SA home{1}
Apr 25 16:32:28 daemon.info syslog: 05[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
Apr 25 16:32:28 daemon.info syslog: 05[NET] sending packet: from 10.64.33.100[4500] to xxx.137.25.195[4500] (1120 bytes)
16:32:32.802620 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
Apr 25 16:32:32 daemon.info syslog: 03[IKE] retransmit 1 of request with message ID 1
Apr 25 16:32:32 daemon.info syslog: 03[NET] sending packet: from 10.64.33.100[4500] to xxx.137.25.195[4500] (1120 bytes)
16:32:33.888422 IP xxx.137.25.195.4500 > 10.64.33.100.4500: NONESP-encap: isakmp: parent_sa inf2
16:32:33.898140 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: isakmp: parent_sa inf2[IR]
Apr 25 16:32:33 daemon.info syslog: 02[NET] received packet: from xxx.137.25.195[4500] to 10.64.33.100[4500] (80 bytes)
Apr 25 16:32:33 daemon.info syslog: 02[ENC] parsed INFORMATIONAL request 0 [ ]
Apr 25 16:32:33 daemon.info syslog: 02[ENC] generating INFORMATIONAL response 0 [ ]
Apr 25 16:32:33 daemon.info syslog: 02[NET] sending packet: from 10.64.33.100[4500] to xxx.137.25.195[4500] (80 bytes)
16:32:38.947424 IP xxx.137.25.195.4500 > 10.64.33.100.4500: NONESP-encap: isakmp: child_sa  inf2
16:32:38.964954 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: isakmp: child_sa  inf2[IR]
----------------------------------------------------------------------

NB: Any idea why I have seen your answer only on the mail-archive website?

Kind regards
René

More information about the Users mailing list