[strongSwan] A little help with the configuration
xalloc
xalloc at protonmail.com
Mon Mar 18 10:18:33 CET 2019
Hello, I'm setting up swanctl configuration file to connect to my company VPN but I'm missing something.
Company has a hardware firewall that uses its IPSEC VPN. Home employess need to connect to it, using their user/pass.
The Gateway VPN is configured like this:
-ikev1
-aggressive mode
-user based PSK
-SA lifetime 86400
-proposal AES256-sha512 DH14
-NAT traversal enabled
-DPD enabled
-local policy 192.168.8.0/24
-IP address pool 192.168.9.2-192.168.9.100
-Active protocol: ESP
-Encapsulation: tunnel
So when a user connects, it gets assigned a 192.168.9.0/24 IP, that works exclusively on subnet 192.168.8.0/24 (separate routing).
Another thing that is not defined on the Gateway but on the current client we use, the user needs to use DNS 192.168.8.10 and 192.168.8.11.
Given all these info, this is the swanctl.conf I built:
####################################
connections {
ikev1-psk {
aggressive = yes
#dpd_delay = 30
#dpd_timeout = 90
version = 1
remote_addrs = THE_GATEWAY_IP
pools = pool
proposals = aes256-sha2_512-modp2048
vips = 0.0.0.0,::
local {
auth = psk
id = THE_USER_ID
}
remote {
auth = psk
id = THE_GATEWAY_IP
}
children {
ikev1-psk {
remote_ts = 192.168.8.0/24
esp_proposals = aes256-sha2_512-modp2048
}
}
}
}
secrets {
ike {
id = THE_USER_ID
secret = "THE_USER_PWD"
}
}
pools {
pool {
addrs = 192.168.9.2-192.168.9.100
dns = 192.168.8.10,192.168.8.11
}
}
####################################
>$ swanctl -q
loaded ike secret 'ike'
no authorities found, 0 unloaded
loaded pool 'pool'
successfully loaded 1 pools, 0 unloaded
loaded connection 'ikev1-psk'
successfully loaded 1 connections, 0 unloaded
>$ swanctl -i --child ikev1-psk
[IKE] initiating Aggressive Mode IKE_SA ikev1-psk[1] to THE_GATEWAY_IP
[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
[NET] sending packet: from 192.168.5.2[500] to THE_GATEWAY_IP[500] (495 bytes)
[NET] received packet: from THE_GATEWAY_IP[500] to 192.168.5.2[500] (906 bytes)
[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V V V V V V V NAT-D NAT-D ]
[ENC] received unknown vendor ID: ID_HERE
[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[ENC] received unknown vendor ID: ID
[ENC] received unknown vendor ID: ID
[ENC] received unknown vendor ID: ID
[ENC] received unknown vendor ID: ID
[IKE] IKE_SA ikev1-psk[1] established between 192.168.5.2[THE_USER_ID]...THE_GATEWAY_IP[THE_GATEWAY_IP]
[IKE] scheduling rekeying in 13223s
[IKE] maximum IKE_SA lifetime 14663s
[ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
[NET] sending packet: from 192.168.5.2[500] to THE_GATEWAY_IP[500] (236 bytes)
[ENC] generating TRANSACTION request 248979087 [ HASH CPRQ(ADDR ADDR6 DNS DNS6) ]
[NET] sending packet: from 192.168.5.2[500] to THE_GATEWAY_IP[500] (124 bytes)
[NET] received packet: from THE_GATEWAY_IP[500] to 192.168.5.2[500] (140 bytes)
[ENC] parsed TRANSACTION response 248979087 [ HASH CPRP(ADDR MASK DNS DNS) ]
[CFG] handling INTERNAL_IP4_NETMASK attribute failed
[IKE] installing DNS server 192.168.8.10 to /etc/resolv.conf
[IKE] installing DNS server 192.168.8.11 to /etc/resolv.conf
[IKE] installing new virtual IP 192.168.9.23
[NET] received packet: from THE_GATEWAY_IP[500] to 192.168.5.2[500] (140 bytes)
[ENC] parsed INFORMATIONAL_V1 request 87334116 [ HASH N(DPD) ]
[ENC] generating INFORMATIONAL_V1 request 2935420725 [ HASH N(DPD_ACK) ]
[NET] sending packet: from 192.168.5.2[500] to THE_GATEWAY_IP[500] (140 bytes)
[NET] received packet: from THE_GATEWAY_IP[500] to 192.168.5.2[500] (140 bytes)
...
>From those messages seems it can connect but when I ping something (even DNS) nothing works.
More information about the Users
mailing list