[strongSwan] Libreswan client to Strongswan server
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 8 20:40:49 CET 2017
Hi Gordon,
Use the configuration examples from the UsableExamples[1] page. If you continue having trouble, provide the complete information that is listed on the HelpRequests[2] page, please.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
[2] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
On 08.11.2017 01:48, Gordon Johnstone wrote:
> I've installed strongswan on a new CentOS 7 server following https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html
>
> Connections from Windows 10 and Android are fine. My understanding of all things VPN is very basic.
>
> Getting the backup CentOS 6 libreswan connected has stumped me, I'm unable to get past "no IKE config found for 10.240.0.2 ...<client_public_ip>"
>
> I can see entries relating to the client and server certificates looking at "ipsec status" so I think certificates are ok. Experimenting with specific ike and phasealg entries on client hasn't got me anywhere.
>
> There are no ikev2 mentions in the logs which seems wrong, so many Google results.
>
> Could someone please point me in the right direction.
>
> Gordon.
>
>
>
>
> ------------- server messages
>
> Nov 8 10:46:17 buddyi charon: 03[NET] received packet: from <client_public_ip>[500
> ] to 10.240.0.2[500]
> Nov 8 10:46:17 buddyi charon: 03[NET] waiting for data on sockets
> Nov 8 10:46:17 buddyi charon: 05[MGR] checkout IKEv1 SA by message with SPIs a3
> 0b15eb151113bc_i 0000000000000000_r
> Nov 8 10:46:17 buddyi strongswan: 14[ENC] parsed ID_PROT request 0 [ SA V V V V
> V V ]
> Nov 8 10:46:17 buddyi strongswan: 14[CFG] looking for an ike config for 10.240.
> 0.2...<client_public_ip>
> Nov 8 10:46:17 buddyi strongswan: 14[IKE] no IKE config found for 10.240.0.2...
> <client_public_ip>, sending NO_PROPOSAL_CHOSEN
> Nov 8 10:46:17 buddyi strongswan: 14[ENC] generating INFORMATIONAL_V1 request 1
> 476202834 [ N(NO_PROP) ]
>
>
> ------------ client:/etc/ipsec.conf
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # interfaces="ipsec0=eth1"
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.100.64/27 <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:%2110.0.100.64/27>
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> klipsdebug=none
> # klipsdebug=all
> # plutodebug="control parsing"
> # plutodebug=all
> # plutostderrlog=/var/log/pluto.log
> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> protostack=netkey
> nat_traversal=yes
> virtual_private=
> oe=off
>
>
>
>
> # trying to connect libreswan here to strongswan on buddy
>
> conn buddy
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
>
> authby=rsasig
> leftcert="gj's VPN Certificate"
> leftsendcert=always
>
>
> leftid=%fromcert
> left=%defaultroute
> leftsubnet=10.0.100.0/24 <http://10.0.100.0/24>
> leftprotoport=17/1701
>
> # Replace IP address with your VPN server's IP
> right=<server_public_ip>
> rightprotoport=17/1701
> auto=add
>
>
> #include /etc/ipsec.d/*.conf
>
> ---------- server ipsec.conf
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
>
> # Add connections here.
>
> # Sample VPN connections
>
> #conn sample-self-signed
> # leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
> # leftcert=selfCert.der
> # leftsendcert=never
> # right=192.168.0.2
> # rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
> # rightcert=peerCert.der
> # auto=start
>
> #conn sample-with-ca-cert
> # leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
> # leftcert=myCert.pem
> # right=192.168.0.2
> # rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
> # rightid="C=CH, O=Linux strongSwan CN=peer name"
> # auto=start
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
>
> conn %default
> keyexchange=ikev2
> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
>
>
> dpdaction=clear
> dpddelay=300s
> rekey=no
>
>
> #Server side
> left=%any
> # left=10.240.0.2
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> leftcert=vpnHostCert.der
> # leftfirewall=yes
>
>
> #Client side
> right=%any
> rightdns=8.8.8.8,8.8.4.4
> rightsourceip=10.42.42.0/24 <http://10.42.42.0/24>
>
> conn IPSec-IKEv2
> keyexchange=ikev2
> auto=add
>
>
> conn IPSec-IKEv2-EAP
> also="IPSec-IKEv2"
> rightauth=eap-mschapv2
> rightauthby2=pubkey
> rightsendcert=never
> eap_identity=%any
>
> #conn CiscoIPSec
> # keyexchange=ikev1
> # forceencaps=yes
> # authby=xauthrsasig
> # xauth=server
> # auto=add
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171108/1e4a5277/attachment.sig>
More information about the Users
mailing list