[strongSwan] Routing problem on Linux

Noel Kuntze noel.kuntze at thermi.consulting
Wed Jul 17 21:46:15 CEST 2019


Hello,

Please start off with an example configuration from the UsableExamples page.

If the connection times out during the IKE negotiation, either your firewall is configured incorrectly or something else on your side.
It could also be that you need to enable fragmentation for IKE. That's enabled for default for a couple of versions already.

Kind regards

Noel

Am 17.07.19 um 10:45 schrieb Old Kid:
> Hello all,
> My Windows 10 computer can connect to my strongswan server, though it has some weird behavoirs, it works at least. I need to share the VPN adapter's with Wifi, reset Wifi to DHCP, connect Wifi and VPN. Only after that I get a PPP adapter with default gateway 0.0.0.0 . But on Linux there is no route at all,
> I use NetworkManager + strongswan plugin, after it connects I have:
> default via 192.168.0.1 dev wlp3s0 proto dhcp metric 600 192.168.0.0/24 dev wlp3s0 proto dhcp scope link src 192.168.0.2 metric 304 192.168.0.0/24 dev wlp3s0 proto kernel scope link src 192.168.0.2 metric 600 192.168.20.100 dev wlp3s0 proto kernel scope link src 192.168.20.100 metric 50 192.168.20.100 dev wlp3s0 proto kernel scope link src 192.168.20.100 metric 600 avatar at archlinux:~$
> I don't understand what the first column 192.168.20.100 means. I think it's supposed to be a subnet. And I don't think I can add a default route with this manually. In addtion, the strongswan android client can't connect at all, it says "giving up after 3 retransmits, establishing IKE_SA failed, peer not responding". Is there something with this configuration?
>
> conn ikev2-vpn
>        auto=route
>        compress=no
>        type=tunnel
>        keyexchange=ikev2
>        ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024
>        fragmentation=yes
>        forceencaps=yes
>        dpdaction=clear
>        dpddelay=300s
>        left=%any
>        leftid=@ipsecserver.com
>        leftcert=ipsecserver.pem
>        leftsendcert=always
>        leftsubnet=0.0.0.0/0
>        right=%any
>        rightid=%any
>        rightauth=eap-mschapv2
>        leftsourceip=192.168.20.1
>        rightsourceip=192.168.20.100/24
>        rightdns=8.8.8.8,8.8.4.4
>        rightsendcert=never
>        eap_identity=%identity

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190717/ce79b57c/attachment.sig>


More information about the Users mailing list