[strongSwan] Moving from OpenSwan to StrongSWAN AUTHENTICATION_FAILED notify error

Noel Kuntze noel at familie-kuntze.de
Tue Feb 14 22:39:02 CET 2017 

Hello Maqbool,

setting leftsourceip to something makes charon request a virtual IP from the remote peer.
So that means, that the remote peer seems to be configured for config mode (IKEv1) or to
respond with a configuration payload with an IP address to the initiator. That doesn't make
sense in a site-to-site scenario. Charon is perfectly capable of figuring out the correct source
IP address by itself.

> Now I have some routing issues as I am not able to ping the remote.

That probably has to do with there being a SNAT or MASQUERADE rule or generally 
wrong iptables rules. Read [1]

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

On 14.02.2017 20:58, Maqbool Patel wrote:
> I tried ikev1 and the tunnel got established. 
> Noel, I removed the leftsourceip line, it will not establish the tunnel.
> 
> Now I have some routing issues as I am not able to ping the remote.
> 
> -maqbool
> 
> On Tue, Feb 14, 2017 at 11:10 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
> 
>     Hello Maqbool,
> 
>     >     leftsourceip=10.0.0.33
> 
>     Remove that. Then retry.
> 
>     And use auto=route instead of auto=start.
>     See the article about security recommendations[1] for reasons why
>     and opportunities to significantly improve in your setup.
> 
>     [1] https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations <https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations>
> 
>     --
> 
>     Mit freundlichen Grüßen/Kind Regards,
>     Noel Kuntze
> 
>     GPG Key ID: 0x63EC6658
>     Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> 
> 

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170214/95a6c86c/attachment.sig>

More information about the Users mailing list