[strongSwan] Problem initilizig ipsec tunnel
MIDOL MONNET Philippe
philippe.midol-monnet at soprasteria.com
Tue Oct 23 16:53:50 CEST 2018
Hi
Sorry for the badly formulated request.
I solve my problem.
The ipsec configuration file was the following :
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel
leftupdown=/etc/strongswan.d/updown.sh
leftid=petittestaplug
leftsourceip=%config
right=*********
rightsubnet=0.0.0.0/0
esp=aes256-sha512-modp4096!
ike=aes256-sha512-modp4096!
keyingtries=%forever
ikelifetime=24h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=start
keyexchange=ikev2
the firewall rules are:
# Generated by iptables-save v1.6.0 on Tue May 8 04:31:16 2018
*raw
:PREROUTING ACCEPT [82254:41942801]
:OUTPUT ACCEPT [84703:37967014]
COMMIT
# Completed on Tue May 8 04:31:16 2018
# Generated by iptables-save v1.6.0 on Tue May 8 04:31:16 2018
*nat
:PREROUTING ACCEPT [10:600]
:INPUT ACCEPT [10:600]
:OUTPUT ACCEPT [18:2183]
:POSTROUTING ACCEPT [18:2183]
-A POSTROUTING -d 192.168.200.20/32 -o eth1 ! -p esp -j SNAT --to-source
10.3.0.51
-A POSTROUTING -d 192.168.200.20/32 -o eth1 ! -p esp -j SNAT --to-source
10.3.0.51
COMMIT
# Completed on Tue May 8 04:31:16 2018
# Generated by iptables-save v1.6.0 on Tue May 8 04:31:16 2018
*mangle
:PREROUTING ACCEPT [82254:41942801]
:INPUT ACCEPT [82252:41942175]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [84719:37970086]
:POSTROUTING ACCEPT [85363:38044708]
:connman-INPUT - [0:0]
:connman-POSTROUTING - [0:0]
-A INPUT -j connman-INPUT
-A POSTROUTING -j connman-POSTROUTING
-A connman-INPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask
0xffffffff
-A connman-POSTROUTING -j CONNMARK --save-mark --nfmask 0xffffffff
--ctmask 0xffffffff
COMMIT
# Completed on Tue May 8 04:31:16 2018
# Generated by iptables-save v1.6.0 on Tue May 8 04:31:16 2018
*filter
:INPUT ACCEPT [82252:41942175]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [84719:37970086]
COMMIT
# Completed on Tue May 8 04:31:16 2018
Adding:
forceencaps=yes
in the configuration file solve the problem.
Philippe
Le 19/10/2018 à 22:49, Jafar Al-Gharaibeh a écrit :
> Philippe,
>
> We don't know what happened either. If you want help follow the
> instructions on [1].
> provide configs/logs/etc.
>
>
> --Jafar
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>
> On 10/18/2018 10:53 AM, MIDOL MONNET Philippe wrote:
>> Hello
>>
>> I'm not familiar with StrongSwan and I have the following issue when I
>> try to establish a tunnel:
>>
>> With the charon log and a tcpdump I can see that, initialisation and
>> authentication seem to be OK:
>>
>> Send: IKE_SA_INIT Initiator Request
>> Recv: IKE_SA_INIT Responder Response
>> Send: IKE_AUTH Initiator Request
>> Recv: IKE_AUTH Responder Response
>>
>> Therefore there is INFORMATIONNAL:
>> Send: INFORMATIONAL Initiator Request
>> Recv: INFORMATIONAL Responder Request
>> Send: INFORMATIONAL Initiator Response
>> At this moment, distant host redo the request and localhost resend the
>> response:
>> Recv: INFORMATIONAL Responder Request
>> Send: INFORMATIONAL Initiator Response
>> Send: INFORMATIONAL Initiator Request
>> etc..
>> and the tunnel can't be used
>>
>> I don't know what happen, can you help me?
>>
>> Philippe
>>
>>
>>
>>
>
More information about the Users
mailing list