[strongSwan] updown on client side not called strongSwan 5.8.1
bls s
bls3427 at outlook.com
Sun Sep 8 02:22:45 CEST 2019
I'm trying to set up a Linux roadwarrior client on Raspbian Buster (strongSwan 5.8.1) connecting to a Raspbian Buster server
(strongSwan 5.8.0) using /etc/swanctl.conf. strongSwan was built from source on both systems. The client is connected to the network
via my phone hotspot to test an outside-the-firewall connection.
When I swanctl --initiate theclient-theserver --child theclient-theserver the connection and the child (from the client), the VPN
connection and child connection appear to be established.
iptables seems to be set up correctly on the server, but there are no iptables entries added on the client.
I added a 'printenv >> /tmp/updown.log" to /libexec/ipsec/_updown on both ends. The printenv output is logged on the server side,
but the client side never calls the updown script. There are no iptables entries made for the connection, and of course, no traffic
is passed over the VPN.
I'm stumped as to why my updown script isn't called. Any thoughts?
Thanks!
Here's the Server connection from the server's /etc/swanctl/swanctl.conf
ikev2-pubkey-linux {
version = 2
proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = yes
dpd_delay = 30s
local-1 {
auth = pubkey
cacerts = strongSwanCACert.pem
certs = linux-strongSwanVPNCert.pem
id = linux.domain.com
}
remote-1 {
auth = pubkey
}
children {
ikev2-pubkey {
local_ts = 0.0.0.0/0
updown = /libexec/ipsec/_updown iptables
}
}
}
And here's the Client connection from the client's /etc/swanctl/swanctl.conf
theclient-theserver {
version = 2
local_addrs = %any
remote_addrs = theserver.domain.com
vips = 0.0.0.0
mobike = no
reauth_time = 10800
local-1 {
auth = pubkey
certs = theclient-pi-theserverCert.pem
id = theclient-pi-theserver at myvpn.net
}
remote-1 {
id = linux.domain.com
}
children {
theclient-theserver {
ikev2-pubkey {
remote_ts = 0.0.0.0/0
updown = /libexec/ipsec/_updown iptables
esp_proposals = aes128gcm128-x25519
}
}
}
}
>From the server:
theserver/libexec/ipsec# swanctl --list-sas
ikev2-pubkey-linux: #2, ESTABLISHED, IKEv2, 087489bd226c45e3_i 43a903a639bf6081_r*
local 'linux.domain.com' @ 192.168.92.3[4500]
remote 'theclient-pi-theserver at myvpn.net' @ my.phone.ip.address[54007] [10.92.10.1]
AES_GCM_16-192/PRF_HMAC_SHA2_256/ECP_256
established 990s ago
ikev2-pubkey: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128
installed 990s ago, rekeying in 2373s, expires in 2970s
in c638a5f3, 0 bytes, 0 packets
out c6a7423c, 0 bytes, 0 packets
local my.external.ip.address/32
remote 10.92.10.1/32
>From the client:
theclient/etc/swanctl# swanctl --list-sas
theclient-theserver: #2, ESTABLISHED, IKEv2, 087489bd226c45e3_i* 43a903a639bf6081_r
local 'theclient-pi-theserver at myvpn.net' @ 172.20.10.6[4500] [10.92.10.1]
remote 'linux.domain.com' @ my.external.ip.address[4500]
AES_GCM_16-192/PRF_HMAC_SHA2_256/ECP_256
established 1034s ago, reauth in 9763s
theclient-theserver: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128
installed 1034s ago, rekeying in 2409s, expires in 2926s
in c6a7423c, 0 bytes, 0 packets
out c638a5f3, 0 bytes, 0 packets
local 10.92.10.1/32
remote my.external.ip.address/32
More information about the Users
mailing list