[strongSwan] Site-to-site VPN configuration help

Dafydd Tomos d at fydd.org
Wed Mar 25 15:13:25 CET 2020 

Hi,

I am using strongSwan to connect to a supplier's VPN, but am having 
trouble understanding the IP network ranges required.

The server I'm connecting from is a Debian server with strongswan 5.5.1. 
It has one public IP in a /29 so has one interface (bond0 using 
eth0/eth1). There are iptables rules for incoming traffic, nothing for 
outgoing. I ended up adding an interface for 10.100.15.1 as that what 
appears to be required.

The 3rd party has supplied details for a Fortigate VPN. I have an AWS 
VPN endpoint IP along with the usual encryption details, using a PSK. It 
wants  AES256 + SHA256 + DH Group 5

It lists two 'encryption domain' IP ranges for their side. It also 
provides an encryption domain for our side. Here's the ipsec.conf, 
anonymised


config setup
         # strictcrlpolicy=yes
         # uniqueids = no
         charondebug="all"
         uniqueids=yes
         strictcrlpolicy=no

conn server-to-aws
         authby=secret
         type=tunnel
         auto=start
         compress=no

         leftid=server
# I tried these first
#       left=x.x.x.x (public IP of our server)
#       leftsubnet=x.x.x.x/29
         left=10.100.15.1
         leftsubnet=10.100.15.0/24 (encryption domain for our side, 
mandated by 3rd party)
         leftfirewall=no

         right=y.y.y.y (public VPN endpoint of 3rd party)
         rightid=aws
         rightsubnet=172.21.0.0/16, 172.22.0.0/16 (encryption domain of 
3rd party)
         keyexchange=ikev1
         ike=aes256-sha256-modp1536
         esp=aes256-sha256-modp1536
         ikelifetime=24h
         lifetime=24h
         dpddelay=15
         dpdtimeout=30

Here's the log, anonymised with the same IPs

Mar 25 14:03:55  charon: 00[DMN] Starting IKE charon daemon (strongSwan 
5.5.1, Linux 4.9.0-11-amd64, x86_64)
Mar 25 14:03:55  charon: 00[CFG] loading ca certificates from 
'/etc/ipsec.d/cacerts'
Mar 25 14:03:55  charon: 00[CFG] loading aa certificates from 
'/etc/ipsec.d/aacerts'
Mar 25 14:03:55  charon: 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Mar 25 14:03:55  charon: 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
Mar 25 14:03:55  charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 25 14:03:55  charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 25 14:03:55  charon: 00[CFG] expanding file expression 
'/var/lib/strongswan/ipsec.secrets.inc' failed
Mar 25 14:03:55  charon: 00[CFG]   loaded IKE secret for 10.100.15.1 y.y.y.y
Mar 25 14:03:55  charon: 00[CFG]   loaded IKE secret for x.x.x.x y.y.y.y
Mar 25 14:03:55  charon: 00[LIB] loaded plugins: charon aesni aes rc2 
sha2 sha1 md5 random nonce x509 revocation constrai
nts pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp 
agent xcbc hmac gcm attr kernel-netlink resolve
socket-default ck stroke updown
Mar 25 14:03:55  charon: 00[LIB] dropped capabilities, running as uid 0, 
gid 0
Mar 25 14:03:55  charon: 00[JOB] spawning 16 worker threads
Mar 25 14:03:55  charon: 16[CFG] received stroke: add connection 
'server-to-aws'
Mar 25 14:03:55  charon: 16[CFG] added configuration 'server-to-aws'
Mar 25 14:03:55  charon: 07[CFG] received stroke: initiate 'server-to-aws'
Mar 25 14:03:55  charon: 07[IKE] initiating Main Mode IKE_SA 
server-to-aws[1] to y.y.y.y
Mar 25 14:03:55  charon: 07[ENC] generating ID_PROT request 0 [ SA V V V 
V V ]
Mar 25 14:03:55  charon: 07[NET] sending packet: from 10.100.15.1[500] 
to y.y.y.y[500] (252 bytes)
Mar 25 14:03:59  charon: 12[IKE] sending retransmit 1 of request message 
ID 0, seq 1
Mar 25 14:03:59  charon: 12[NET] sending packet: from 10.100.15.1[500] 
to y.y.y.y[500] (252 bytes)
Mar 25 14:04:06  charon: 11[IKE] sending retransmit 2 of request message 
ID 0, seq 1
Mar 25 14:04:06  charon: 11[NET] sending packet: from 10.100.15.1[500] 
to y.y.y.y[500] (252 bytes)
Mar 25 14:04:15  charon: 07[NET] received packet: from y.y.y.y[500] to 
x.x.x.x[500] (292 bytes)
Mar 25 14:04:15  charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V 
V V V V V ]
Mar 25 14:04:15  charon: 07[IKE] no IKE config found for 
x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN
Mar 25 14:04:15  charon: 07[ENC] generating INFORMATIONAL_V1 request 
852369688 [ N(NO_PROP) ]
Mar 25 14:04:15  charon: 07[NET] sending packet: from x.x.x.x[500] to 
y.y.y.y[500] (40 bytes)
Mar 25 14:04:16  snmpd[1797]: error on subcontainer 'ia_addr' insert (-1)
Mar 25 14:04:18  charon: 10[NET] received packet: from y.y.y.y[500] to 
x.x.x.x[500] (292 bytes)
Mar 25 14:04:18  charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V 
V V V V V ]
Mar 25 14:04:18  charon: 10[IKE] no IKE config found for 
x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN
Mar 25 14:04:18  charon: 10[ENC] generating INFORMATIONAL_V1 request 
699850337 [ N(NO_PROP) ]
Mar 25 14:04:18  charon: 10[NET] sending packet: from x.x.x.x[500] to 
y.y.y.y[500] (40 bytes)
Mar 25 14:04:19  charon: 14[IKE] sending retransmit 3 of request message 
ID 0, seq 1
Mar 25 14:04:19  charon: 14[NET] sending packet: from 10.100.15.1[500] 
to y.y.y.y[500] (252 bytes)
Mar 25 14:04:24  charon: 00[DMN] signal of type SIGINT received. 
Shutting down
Mar 25 14:04:24  charon: 00[IKE] destroying IKE_SA in state CONNECTING 
without notification


thanks

More information about the Users mailing list