[strongSwan] Site-to-site VPN configuration help

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Mar 25 15:29:19 CET 2020 

Hi,

Configure debug logging as shown on the HelpRequests[1] page and post it.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 25.03.20 um 15:13 schrieb Dafydd Tomos:
> Hi,
> 
> I am using strongSwan to connect to a supplier's VPN, but am having trouble understanding the IP network ranges required.
> 
> The server I'm connecting from is a Debian server with strongswan 5.5.1. It has one public IP in a /29 so has one interface (bond0 using eth0/eth1). There are iptables rules for incoming traffic, nothing for outgoing. I ended up adding an interface for 10.100.15.1 as that what appears to be required.
> 
> The 3rd party has supplied details for a Fortigate VPN. I have an AWS VPN endpoint IP along with the usual encryption details, using a PSK. It wants  AES256 + SHA256 + DH Group 5
> 
> It lists two 'encryption domain' IP ranges for their side. It also provides an encryption domain for our side. Here's the ipsec.conf, anonymised
> 
> 
> config setup
>         # strictcrlpolicy=yes
>         # uniqueids = no
>         charondebug="all"
>         uniqueids=yes
>         strictcrlpolicy=no
> 
> conn server-to-aws
>         authby=secret
>         type=tunnel
>         auto=start
>         compress=no
> 
>         leftid=server
> # I tried these first
> #       left=x.x.x.x (public IP of our server)
> #       leftsubnet=x.x.x.x/29
>         left=10.100.15.1
>         leftsubnet=10.100.15.0/24 (encryption domain for our side, mandated by 3rd party)
>         leftfirewall=no
> 
>         right=y.y.y.y (public VPN endpoint of 3rd party)
>         rightid=aws
>         rightsubnet=172.21.0.0/16, 172.22.0.0/16 (encryption domain of 3rd party)
>         keyexchange=ikev1
>         ike=aes256-sha256-modp1536
>         esp=aes256-sha256-modp1536
>         ikelifetime=24h
>         lifetime=24h
>         dpddelay=15
>         dpdtimeout=30
> 
> Here's the log, anonymised with the same IPs
> 
> Mar 25 14:03:55  charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-11-amd64, x86_64)
> Mar 25 14:03:55  charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Mar 25 14:03:55  charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Mar 25 14:03:55  charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Mar 25 14:03:55  charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Mar 25 14:03:55  charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Mar 25 14:03:55  charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Mar 25 14:03:55  charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
> Mar 25 14:03:55  charon: 00[CFG]   loaded IKE secret for 10.100.15.1 y.y.y.y
> Mar 25 14:03:55  charon: 00[CFG]   loaded IKE secret for x.x.x.x y.y.y.y
> Mar 25 14:03:55  charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constrai
> nts pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
> socket-default ck stroke updown
> Mar 25 14:03:55  charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
> Mar 25 14:03:55  charon: 00[JOB] spawning 16 worker threads
> Mar 25 14:03:55  charon: 16[CFG] received stroke: add connection 'server-to-aws'
> Mar 25 14:03:55  charon: 16[CFG] added configuration 'server-to-aws'
> Mar 25 14:03:55  charon: 07[CFG] received stroke: initiate 'server-to-aws'
> Mar 25 14:03:55  charon: 07[IKE] initiating Main Mode IKE_SA server-to-aws[1] to y.y.y.y
> Mar 25 14:03:55  charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
> Mar 25 14:03:55  charon: 07[NET] sending packet: from 10.100.15.1[500] to y.y.y.y[500] (252 bytes)
> Mar 25 14:03:59  charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 1
> Mar 25 14:03:59  charon: 12[NET] sending packet: from 10.100.15.1[500] to y.y.y.y[500] (252 bytes)
> Mar 25 14:04:06  charon: 11[IKE] sending retransmit 2 of request message ID 0, seq 1
> Mar 25 14:04:06  charon: 11[NET] sending packet: from 10.100.15.1[500] to y.y.y.y[500] (252 bytes)
> Mar 25 14:04:15  charon: 07[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (292 bytes)
> Mar 25 14:04:15  charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ]
> Mar 25 14:04:15  charon: 07[IKE] no IKE config found for x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN
> Mar 25 14:04:15  charon: 07[ENC] generating INFORMATIONAL_V1 request 852369688 [ N(NO_PROP) ]
> Mar 25 14:04:15  charon: 07[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes)
> Mar 25 14:04:16  snmpd[1797]: error on subcontainer 'ia_addr' insert (-1)
> Mar 25 14:04:18  charon: 10[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (292 bytes)
> Mar 25 14:04:18  charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ]
> Mar 25 14:04:18  charon: 10[IKE] no IKE config found for x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN
> Mar 25 14:04:18  charon: 10[ENC] generating INFORMATIONAL_V1 request 699850337 [ N(NO_PROP) ]
> Mar 25 14:04:18  charon: 10[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes)
> Mar 25 14:04:19  charon: 14[IKE] sending retransmit 3 of request message ID 0, seq 1
> Mar 25 14:04:19  charon: 14[NET] sending packet: from 10.100.15.1[500] to y.y.y.y[500] (252 bytes)
> Mar 25 14:04:24  charon: 00[DMN] signal of type SIGINT received. Shutting down
> Mar 25 14:04:24  charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
> 
> 
> thanks
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200325/717b3d36/attachment.sig>

More information about the Users mailing list