[strongSwan] Libreswan client to Strongswan server

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 8 20:40:49 CET 2017


Hi Gordon,

Use the configuration examples from the UsableExamples[1] page. If you continue having trouble, provide the complete information that is listed on the HelpRequests[2] page, please.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
[2] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

On 08.11.2017 01:48, Gordon Johnstone wrote:
> I've installed strongswan on a new CentOS 7 server following https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html
>
> Connections from Windows 10 and Android are fine. My understanding of all things VPN is very basic.
>
> Getting the backup CentOS 6 libreswan connected has stumped me, I'm unable to get past "no IKE config found for 10.240.0.2 ...<client_public_ip>"
>
> I can see entries relating to the client and server certificates looking at "ipsec status" so I think certificates are ok. Experimenting with specific ike and phasealg entries on client hasn't got me anywhere.
>
> There are no ikev2 mentions in the logs which seems wrong, so many Google results.
>
> Could someone please point me in the right direction.
>
> Gordon.
>
>
>
>
> ------------- server messages
>
> Nov  8 10:46:17 buddyi charon: 03[NET] received packet: from <client_public_ip>[500
> ] to 10.240.0.2[500]
> Nov  8 10:46:17 buddyi charon: 03[NET] waiting for data on sockets
> Nov  8 10:46:17 buddyi charon: 05[MGR] checkout IKEv1 SA by message with SPIs a3
> 0b15eb151113bc_i 0000000000000000_r
> Nov  8 10:46:17 buddyi strongswan: 14[ENC] parsed ID_PROT request 0 [ SA V V V V
>  V V ]
> Nov  8 10:46:17 buddyi strongswan: 14[CFG] looking for an ike config for 10.240.
> 0.2...<client_public_ip>
> Nov  8 10:46:17 buddyi strongswan: 14[IKE] no IKE config found for 10.240.0.2...
> <client_public_ip>, sending NO_PROPOSAL_CHOSEN
> Nov  8 10:46:17 buddyi strongswan: 14[ENC] generating INFORMATIONAL_V1 request 1
> 476202834 [ N(NO_PROP) ]
>
>
> ------------ client:/etc/ipsec.conf
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         # interfaces="ipsec0=eth1"
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.100.64/27 <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:%2110.0.100.64/27>
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>          klipsdebug=none
>         # klipsdebug=all
>         # plutodebug="control parsing"
>         # plutodebug=all
>         # plutostderrlog=/var/log/pluto.log
>         # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=
>         oe=off
>
>
>
>
> # trying to connect libreswan here to strongswan on buddy
>
> conn buddy
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>
>         authby=rsasig
>         leftcert="gj's VPN Certificate"
>         leftsendcert=always
>
>
>         leftid=%fromcert
>         left=%defaultroute
>         leftsubnet=10.0.100.0/24 <http://10.0.100.0/24>
>         leftprotoport=17/1701
>
>   # Replace IP address with your VPN server's IP
>        right=<server_public_ip>
>        rightprotoport=17/1701
>        auto=add
>
>
> #include /etc/ipsec.d/*.conf
>
> ---------- server ipsec.conf
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
>         # strictcrlpolicy=yes
>         # uniqueids = no
>
> # Add connections here.
>
> # Sample VPN connections
>
> #conn sample-self-signed
> #      leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
> #      leftcert=selfCert.der
> #      leftsendcert=never
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
> #      rightcert=peerCert.der
> #      auto=start
>
> #conn sample-with-ca-cert
> #      leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
> #      leftcert=myCert.pem
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
> #      rightid="C=CH, O=Linux strongSwan CN=peer name"
> #      auto=start
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
>     charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
>
> conn %default
>     keyexchange=ikev2
>     ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
>     esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
>
>
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>
>
>     #Server side
>     left=%any
>     # left=10.240.0.2
>     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>     leftcert=vpnHostCert.der
>     # leftfirewall=yes
>
>
>     #Client side
>     right=%any
>     rightdns=8.8.8.8,8.8.4.4
>     rightsourceip=10.42.42.0/24 <http://10.42.42.0/24>
>     
> conn IPSec-IKEv2
>     keyexchange=ikev2
>     auto=add
>
>
> conn IPSec-IKEv2-EAP
>     also="IPSec-IKEv2"
>     rightauth=eap-mschapv2
>     rightauthby2=pubkey
>     rightsendcert=never
>     eap_identity=%any
>
> #conn CiscoIPSec
> #    keyexchange=ikev1
> #    forceencaps=yes
> #    authby=xauthrsasig
> #    xauth=server
> #    auto=add
>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171108/1e4a5277/attachment.sig>


More information about the Users mailing list