[strongSwan] Rigthid diferent to right problem.

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri May 26 16:45:03 CEST 2017 

Hello Jordi,



On 26.05.2017 07:49, Jordi Casanellas wrote:
> The problem I have is that the client has virtual vpbox with Movistar.
> In the 3 vpn the "rightid" is the same to sign
What is "vpbox" and "Movistar"?
rightid from whose perspective? For IPsec VPNs to work correctly, remote peers have to have distinct IDs.
>
> So to be able to lift the vpn I need to sign with a different ip than the
> one assigned.
How do you mean that? Which is assigned? Sign what? Do you mean to write "Sign in"?

>
> Currently I have it working in this way from the Cisco to the provider
> "Gigas".
>
> But I want to pass it on to strongswan
>
> In the file configuration file.conf is the following:
>
>
> ---START CONFIG ---
> config setup
>
> conn client
>
>         left=81.29.122.250 <tel:81.29.122.250>
>         leftsubnet=192.168.100.0/24 <http://192.168.100.0/24>
>         leftid=81.29.122.250 <tel:81.29.122.250>
>
>         right=86.45.281.11
>         rightid=217.124.116.61 (is necessary for sign) 
>         rightsubnet=192.168.202.0/24 <http://192.168.202.0/24>
>         #Encriptacio
>         keyingtries=0

>         esp=3des-sha1-modp1024
>         ike=3des-sha1-modp1024
That cipher suite is deprecated and insecure.
From the SecurityRecommendations page[1]:
>
>
>     SWEET32
>
> Because of the attack called SWEET32 <https://sweet32.info/>, 3DES and BLOWFISH are now considered insecure.
> Use AES instead. 3DES and BLOWFISH use a block size of 64 bits. That enables birthday attacks on the encrypted data packets. 
> AES uses a block size of 128 bits, which is secure.
>
(SWEET32 links to https://sweet32.info/)
>         authby=secret
>         keyexchange=ikev1
>         rekey=no
>
>         #lifetime
>
>         ikelifetime=60s
>         lifetime=8h
>         auto=route
> ----- END CONFIG ----
>
> I'm test with rightid=%any and not working
> I'm test with rightid same with right parameter its working but not work
> traffic and tunnel not up.
>
> Im found this plugin duplicheck
> https://wiki.strongswan.org/projects/strongswan/wiki/Duplicheck#Behavior <https://wiki.strongswan.org/projects/strongswan/wiki/Duplicheck#Behavior>
> But i'm need sign vpn with another ip.
>
>
> ----ERROR Syslog ---
> May 25 18:36:22 CL2017032010001 charon: 10[ENC] parsed INFORMATIONAL_V1
> request 2895156184 <tel:2895156184> [ HASH N((24576)) ]
> May 25 18:36:22 CL2017032010001 charon: 10[IKE] received (24576) notify
> May 25 18:36:22 CL2017032010001 charon: 11[NET] received packet: from
> xx.xx.xxx.xx[4500] to xx.xx.xx.xx[4500] (356 bytes)
> May 25 18:36:22 CL2017032010001 charon: 11[ENC] parsed INFORMATIONAL_V1
> request 1735012586 [ HASH N(INVAL_ID) ]
> May 25 18:36:22 CL2017032010001 charon: 11[IKE] received
> INVALID_ID_INFORMATION error notify
That means that the remote peer didn't like the left- and rightsubnet settings.
Read the logs of the remote peer. There is no more knowledge to gain in reading charon's logs.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170526/5e75fbf2/attachment.sig>

More information about the Users mailing list