[strongSwan] peer not responding [Resovled]

Stephen Feyrer stephen.feyrer at greensill.com
Tue Aug 13 13:30:50 CEST 2019


Hey,

Please consider the specific issue below resolved.

Added the line "ike=aes128-sha1-modp2048"

Thank you.


--
Stephen Feyrer
DevOps Engineer
Greensill Capital
stephen.feyrer at greensill.com<mailto:stephen.feyrer at greensill.com>
http://www.greensill.com

From: Stephen Feyrer
Sent: 12 August 2019 16:29
To: users at lists.strongswan.org
Subject: RE: peer not responding

Hi there,

A short update.  Most of the below remains true.

I now have permission to test from a Laptop running Ubuntu which is tethered to my phone.

Some additional information from $ sudo ike-scan -v -M -m -1 -y 1 -A 50.45.0.51
DEBUG :    pkt len=356 bytes, bandwidth=56000 bps, int=54857 us
Startng ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan)
---    Pass 1 of 3 completed
---    Pass 2 of 3 completed
---    Pass 3 of 3 completed

Ending ike-scan 1.9.4: 1 hosts scanned in 2.451 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify

The VPN provider is a Fortigate.


--
Stephen Feyrer
DevOps Engineer
Greensill Capital
stephen.feyrer at greensill.com<mailto:stephen.feyrer at greensill.com>
http://www.greensill.com

From: Stephen Feyrer
Sent: 08 August 2019 17:17
To: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: peer not responding

Hi there,

My situation is an odd one.  I have on my desktop a Linux Virtual Machine (Debian) running in virtual box which I need to setup a IPSec/l2tp VPN client thus to be able to provide guidance to external users to set up their connections.

In virtualbox I have set rules to forward the ports 50, 51, 500 and 4500 to the VM.

I have an officeVPN.conf file which looks like:

conn officeVPN
        aggressive=yes
        type=tunnel
        authby=psk
        keyexchange=ikev1
        left=%defaultroute
        leftprotoport=udp/l2tp
        right= 50.45.0.51
        rightprotoport=udp/l2tp
        auto=add

An officeVPN.secrets that looks like:

: PSK "StrongKey-Honest!"

An /etc/strongswan.conf that has the following line:

i_dont_care_about_security_and_use_aggressive_mode_psk=yes


Then the ipsec up officeVPN command is run:

# ipsec up officeVPN
Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51
Generating AGGRESSIVE request 0  [ SA KE No ID V V V V V ]
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 4 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 5 of request message ID 0, seq 1
giving up after 5 retransmits
peer not responding, trying again (2/3)
Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51
Generating AGGRESSIVE request 0  [ SA KE No ID V V V V V ]
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 4 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 5 of request message ID 0, seq 1
giving up after 5 retransmits
peer not responding, trying again (3/3)
Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51
Generating AGGRESSIVE request 0  [ SA KE No ID V V V V V ]
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.5.0.51[500] (320 bytes)
sending retransmit 4 of request message ID 0, seq 1
sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes)
sending retransmit 5 of request message ID 0, seq 1
giving up after 5 retransmits
establishing IKE_SA failed, peer not responding
establishing connection 'officeVPN' failed.


>From the logs I get lines like:

Starting strongSwan 5.7.2 IPsec [starter]...
Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86-64)
loading ca certificates from '/etc/ipsec.d/cacerts'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
loading attribute certificates from '/etc/ipsec.d/acerts'
loading crls from '/etc/ipsec.d/crls'
loading secrets from '/etc/ipsec.d/officeVPN.sercrets'
    loading IKE secret for officeVPN 50.45.0.51
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation...
dropped capabilities, running as uid 0, gid 0
spawning 16 worker threads
charon (1499) started after 20 ms
received stroke: add connection 'officeVPN'
added configuration 'officeVPN'
received stroke: initiate 'officeVPN'


Where a.b.c.d is the local IP of the host and 50.54.0.51 is the VPN server.

Nothing that I have tried has had a positive effect.  Thank you for your patience.  I may be going about this wholly the wrong way, so any suggestions would be gratefully received.

Thank you.


--
Stephen Feyrer
DevOps Engineer
Greensill Capital
stephen.feyrer at greensill.com<mailto:stephen.feyrer at greensill.com>
http://www.greensill.com


This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190813/e6cdf53b/attachment-0001.html>


More information about the Users mailing list