[strongSwan] Libreswan client to Strongswan server

Gordon Johnstone gordon at etx.com.au
Wed Nov 8 01:48:43 CET 2017 

I've installed strongswan on a new CentOS 7 server following
https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html

Connections from Windows 10 and Android are fine. My understanding of all
things VPN is very basic.

Getting the backup CentOS 6 libreswan connected has stumped me, I'm unable
to get past "no IKE config found for 10.240.0.2 ...<client_public_ip>"

I can see entries relating to the client and server certificates looking at
"ipsec status" so I think certificates are ok. Experimenting with specific
ike and phasealg entries on client hasn't got me anywhere.

There are no ikev2 mentions in the logs which seems wrong, so many Google
results.

Could someone please point me in the right direction.

Gordon.




------------- server messages

Nov  8 10:46:17 buddyi charon: 03[NET] received packet: from
<client_public_ip>[500
] to 10.240.0.2[500]
Nov  8 10:46:17 buddyi charon: 03[NET] waiting for data on sockets
Nov  8 10:46:17 buddyi charon: 05[MGR] checkout IKEv1 SA by message with
SPIs a3
0b15eb151113bc_i 0000000000000000_r
Nov  8 10:46:17 buddyi strongswan: 14[ENC] parsed ID_PROT request 0 [ SA V
V V V
 V V ]
Nov  8 10:46:17 buddyi strongswan: 14[CFG] looking for an ike config for
10.240.
0.2...<client_public_ip>
Nov  8 10:46:17 buddyi strongswan: 14[IKE] no IKE config found for
10.240.0.2...
<client_public_ip>, sending NO_PROPOSAL_CHOSEN
Nov  8 10:46:17 buddyi strongswan: 14[ENC] generating INFORMATIONAL_V1
request 1
476202834 [ N(NO_PROP) ]


------------ client:/etc/ipsec.conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # interfaces="ipsec0=eth1"
        virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.100.64/27
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
         klipsdebug=none
        # klipsdebug=all
        # plutodebug="control parsing"
        # plutodebug=all
        # plutostderrlog=/var/log/pluto.log
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off




# trying to connect libreswan here to strongswan on buddy

conn buddy
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1

        authby=rsasig
        leftcert="gj's VPN Certificate"
        leftsendcert=always


        leftid=%fromcert
        left=%defaultroute
        leftsubnet=10.0.100.0/24
        leftprotoport=17/1701

  # Replace IP address with your VPN server's IP
       right=<server_public_ip>
       rightprotoport=17/1701
       auto=add


#include /etc/ipsec.d/*.conf

---------- server ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

# ipsec.conf - strongSwan IPsec configuration file

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
    keyexchange=ikev2

ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!

esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!


    dpdaction=clear
    dpddelay=300s
    rekey=no


    #Server side
    left=%any
    # left=10.240.0.2
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.der
    # leftfirewall=yes


    #Client side
    right=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.42.42.0/24

conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add


conn IPSec-IKEv2-EAP
    also="IPSec-IKEv2"
    rightauth=eap-mschapv2
    rightauthby2=pubkey
    rightsendcert=never
    eap_identity=%any

#conn CiscoIPSec
#    keyexchange=ikev1
#    forceencaps=yes
#    authby=xauthrsasig
#    xauth=server
#    auto=add
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171108/9d51235b/attachment.html>

More information about the Users mailing list