[strongSwan] QUICK_MODE never receives response from remote host
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Mar 13 13:27:28 CET 2020
Hello Matt,
Try adding a ! after the esp proposal you want to use.
Kind regards
Noel
Am 12.03.20 um 22:13 schrieb Matt Wright:
> I've been trying to figure this one out for several hours, have googled a bunch of stuff, but gotten nowhere quick :(
>
> I'm trying to setup a tunnel between a machine I control and a remote system controlled by someone else. Previously to today we had this tunnel setup and running on our local Watchguard router, and it all seemed to be working correctly. However moving forward I need to get this configuration working elsewhere, so enter strongswan.
>
> as far as I can tell everything is setup correctly, however when initiating the connection, phase 1 seems to complete successfully, but as soon as QUICK_MODE starts, I get no response back from the remote host
>
> it doesn't help matters, that this is the first time I'm really trying to do anything like this, and the information I've got from the remote host provider is somewhat... vague, so I've had to make educated guesses to even get to this point
>
> Below are logs and configuration, and hopefully, someone will be able to shed some light on this. As mentioned I've tried a whole bunch of different things, so the config is a bit of a mess.
>
> ----------------My Config---------------
>
> conn VPN
> authby=psk #this specifies how the connection is authenticated
> auto=add
> #rightauth=psk
> #aggressive=yes
> type=tunnel #the type of connection
> left=66.60.177.3 #This is the public ip address of server A
> #leftsourceip=%config
> #modeconfig=pull
> leftsubnet=10.10.10.0/24 #This is the subnet/private ip of server A
> right=173.14.59.177 #This is the public ip address of server B/remote server
> rightsubnet=10.1.25.0/24 #This is the subnet/private ip of server B
> #rightsourceip=172.20.22.0
> #rightsubnet=172.20.22.0/24
> ike=aes128-sha1-modp1024! #Internet key exchange, type of encryption
> #ah=aes128-sha1-modp1024 #Internet key exchange, type of encryption
> #esp=aes128-sha1 #Internet key exchange, type of encryption
> esp=aes128-sha256-modp1024 #Internet key exchange, type of encryption
> #esp=aes128-sha1-modp1024 #Internet key exchange, type of encryption
> keyexchange=ikev1 #Internet key exchange version
> #pfs=yes
> #pfsgroup=modp1024
> #rightprotoport = udp/1801
> #rightikeport=1801
>
> ---------------------configuration information provided by the remote host---------------------
>
> Public IP: 173.14.59.177
>
> Local network: 10.1.25.0/24
>
> Remote network: 172.20.22.0/24
>
>
>
> Phase 1
>
> key: preshare
>
> DH Group: 2
>
> encryption: AES 128
>
> hash: SHA1
>
>
>
> Phase 2
>
> DH Group: 2 (pfs)
>
> protocal: ESP
>
> encryption: AES 128
>
> hash: SHA1
>
>
>
> Ports
>
> TCP: 1801
>
> UDP: 1801, 3527
>
> --------------------- log-------------------------
>
> initiating Main Mode IKE_SA VPN[1] to 173.14.59.177
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (156 bytes)
> received packet: from 173.14.59.177[500] to 66.60.177.3[500] (160 bytes)
> parsed ID_PROT response 0 [ SA V V V ]
> received unknown vendor ID: 94:36:e8:d6:71:74:ef:9a:ed:06:8d:5a:d5:21:3f:18:7a:3f:8b:a6:00:00:00:16:00:00:06:1e
> received DPD vendor ID
> received unknown vendor ID: 48:65:61:72:74:42:65:61:74:5f:4e:6f:74:69:66:79:38:6b:01:00
> generating ID_PROT request 0 [ KE No ]
> sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (196 bytes)
> received packet: from 173.14.59.177[500] to 66.60.177.3[500] (196 bytes)
> parsed ID_PROT response 0 [ KE No ]
> generating ID_PROT request 0 [ ID HASH ]
> sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (76 bytes)
> received packet: from 173.14.59.177[500] to 66.60.177.3[500] (76 bytes)
> parsed ID_PROT response 0 [ ID HASH ]
> IKE_SA VPN[1] established between 66.60.177.3[66.60.177.3]...173.14.59.177[173.14.59.177]
> scheduling reauthentication in 9941s
> maximum IKE_SA lifetime 10481s
> generating QUICK_MODE request 601747937 [ HASH SA No KE ID ID ]
> sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
> sending retransmit 1 of request message ID 601747937, seq 4
> sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
> sending retransmit 2 of request message ID 601747937, seq 4
> sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
> sending retransmit 3 of request message ID 601747937, seq 4
> sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
> sending retransmit 4 of request message ID 601747937, seq 4
> sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
> sending retransmit 5 of request message ID 601747937, seq 4
> sending packet: from 66.60.177.3[500] to 173.14.59.177[500] (316 bytes)
> giving up after 5 retransmits
> establishing connection 'VPN' failed
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200313/ebeaf44b/attachment.sig>
More information about the Users
mailing list