[strongSwan] Site-to-site VPN configuration help
Dafydd Tomos
d at fydd.org
Wed Mar 25 15:13:25 CET 2020
Hi,
I am using strongSwan to connect to a supplier's VPN, but am having
trouble understanding the IP network ranges required.
The server I'm connecting from is a Debian server with strongswan 5.5.1.
It has one public IP in a /29 so has one interface (bond0 using
eth0/eth1). There are iptables rules for incoming traffic, nothing for
outgoing. I ended up adding an interface for 10.100.15.1 as that what
appears to be required.
The 3rd party has supplied details for a Fortigate VPN. I have an AWS
VPN endpoint IP along with the usual encryption details, using a PSK. It
wants AES256 + SHA256 + DH Group 5
It lists two 'encryption domain' IP ranges for their side. It also
provides an encryption domain for our side. Here's the ipsec.conf,
anonymised
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn server-to-aws
authby=secret
type=tunnel
auto=start
compress=no
leftid=server
# I tried these first
# left=x.x.x.x (public IP of our server)
# leftsubnet=x.x.x.x/29
left=10.100.15.1
leftsubnet=10.100.15.0/24 (encryption domain for our side,
mandated by 3rd party)
leftfirewall=no
right=y.y.y.y (public VPN endpoint of 3rd party)
rightid=aws
rightsubnet=172.21.0.0/16, 172.22.0.0/16 (encryption domain of
3rd party)
keyexchange=ikev1
ike=aes256-sha256-modp1536
esp=aes256-sha256-modp1536
ikelifetime=24h
lifetime=24h
dpddelay=15
dpdtimeout=30
Here's the log, anonymised with the same IPs
Mar 25 14:03:55 charon: 00[DMN] Starting IKE charon daemon (strongSwan
5.5.1, Linux 4.9.0-11-amd64, x86_64)
Mar 25 14:03:55 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Mar 25 14:03:55 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Mar 25 14:03:55 charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Mar 25 14:03:55 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Mar 25 14:03:55 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 25 14:03:55 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 25 14:03:55 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Mar 25 14:03:55 charon: 00[CFG] loaded IKE secret for 10.100.15.1 y.y.y.y
Mar 25 14:03:55 charon: 00[CFG] loaded IKE secret for x.x.x.x y.y.y.y
Mar 25 14:03:55 charon: 00[LIB] loaded plugins: charon aesni aes rc2
sha2 sha1 md5 random nonce x509 revocation constrai
nts pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp
agent xcbc hmac gcm attr kernel-netlink resolve
socket-default ck stroke updown
Mar 25 14:03:55 charon: 00[LIB] dropped capabilities, running as uid 0,
gid 0
Mar 25 14:03:55 charon: 00[JOB] spawning 16 worker threads
Mar 25 14:03:55 charon: 16[CFG] received stroke: add connection
'server-to-aws'
Mar 25 14:03:55 charon: 16[CFG] added configuration 'server-to-aws'
Mar 25 14:03:55 charon: 07[CFG] received stroke: initiate 'server-to-aws'
Mar 25 14:03:55 charon: 07[IKE] initiating Main Mode IKE_SA
server-to-aws[1] to y.y.y.y
Mar 25 14:03:55 charon: 07[ENC] generating ID_PROT request 0 [ SA V V V
V V ]
Mar 25 14:03:55 charon: 07[NET] sending packet: from 10.100.15.1[500]
to y.y.y.y[500] (252 bytes)
Mar 25 14:03:59 charon: 12[IKE] sending retransmit 1 of request message
ID 0, seq 1
Mar 25 14:03:59 charon: 12[NET] sending packet: from 10.100.15.1[500]
to y.y.y.y[500] (252 bytes)
Mar 25 14:04:06 charon: 11[IKE] sending retransmit 2 of request message
ID 0, seq 1
Mar 25 14:04:06 charon: 11[NET] sending packet: from 10.100.15.1[500]
to y.y.y.y[500] (252 bytes)
Mar 25 14:04:15 charon: 07[NET] received packet: from y.y.y.y[500] to
x.x.x.x[500] (292 bytes)
Mar 25 14:04:15 charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V
V V V V V ]
Mar 25 14:04:15 charon: 07[IKE] no IKE config found for
x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN
Mar 25 14:04:15 charon: 07[ENC] generating INFORMATIONAL_V1 request
852369688 [ N(NO_PROP) ]
Mar 25 14:04:15 charon: 07[NET] sending packet: from x.x.x.x[500] to
y.y.y.y[500] (40 bytes)
Mar 25 14:04:16 snmpd[1797]: error on subcontainer 'ia_addr' insert (-1)
Mar 25 14:04:18 charon: 10[NET] received packet: from y.y.y.y[500] to
x.x.x.x[500] (292 bytes)
Mar 25 14:04:18 charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V
V V V V V ]
Mar 25 14:04:18 charon: 10[IKE] no IKE config found for
x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN
Mar 25 14:04:18 charon: 10[ENC] generating INFORMATIONAL_V1 request
699850337 [ N(NO_PROP) ]
Mar 25 14:04:18 charon: 10[NET] sending packet: from x.x.x.x[500] to
y.y.y.y[500] (40 bytes)
Mar 25 14:04:19 charon: 14[IKE] sending retransmit 3 of request message
ID 0, seq 1
Mar 25 14:04:19 charon: 14[NET] sending packet: from 10.100.15.1[500]
to y.y.y.y[500] (252 bytes)
Mar 25 14:04:24 charon: 00[DMN] signal of type SIGINT received.
Shutting down
Mar 25 14:04:24 charon: 00[IKE] destroying IKE_SA in state CONNECTING
without notification
thanks
More information about the Users
mailing list