[strongSwan] failed to configure VPN behind my router

jl.boussel at laposte.net jl.boussel at laposte.net
Mon Mar 30 11:42:37 CEST 2020 

Hello 
I need to configure a VPN server for road warriors devices 
RW establishes the tunnel and then a local process of the server hosting the stongswan must access to the rw device. 
RW config is preset, i can only change the VPN server IP @ to reach. 
My VPN server is behind my internet acces router with nat and Port forwarding of ports 500/4500 
I must do a stupide error but I cannot make it run 
I looked at samples, i tried both ipsec.conf and swanctl.conf 
with Ipsec.conf , I always fail with no "matching peer config found" 
with swanwctl, I found a way to establish the tunnel, keep alive are exchanged but tunnel seems not be well configured 
(for that I must add my public IP in the local-ts local_ts = 192.168.1.55,XXX.XXX.166.2) 
I would appreciate your help 

Peer1 - AccessRouter1wNAT ============== MyAccessRouterwithNAT =================== ServerStrongSwan 
@PUB1 My at Pub 192.168.1.1(Defgwy) 192.168.1.55 
Port Foward (500,4500) =========================> 
<=========================================== HTTPS over Tunnel =================== 

------------------------------------------------------------------------------------------------ 
# ipsec.conf - strongSwan IPsec configuration file 
config setup 
charondebug="all" 
conn %default 
ikelifetime=60m 
keylife=20m 
rekeymargin=3m 
keyingtries=1 
keyexchange=ikev2 
authby=secret 
conn Peervpn 
right=%any 
rightsubnet=10.10.10.0/28 

#My at PUB=XXX.XXX.166.2 # don't know what to do with my @ Pub 

left=192.168.1.55 
leftfirewall=yes 
leftsubnet=192.168.1.0/24 

ah=aes256-sha256-modp2048 
esp=aes256-sha256-modp2048 
ike=aes256-sha256-modp2048 
auto=add 
------------------------------------------------------------------------------------------------ 
ipsec.secrets: 
# This file holds shared secrets or RSA private keys for authentication. 
10.10.10.1 : PSK myterriblesecretwithpeer1 
myPeer1 : PSK myterriblesecretwithpeer1 
------------------------------------------------------------------------------------------------ 
sudo ipsec statusall 
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.19.66-v7+, armv7l): 
uptime: 6 seconds, since Mar 30 09:45:02 2020 
malloc: sbrk 1216512, mmap 0, used 215368, free 1001144 
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 
loaded plugins: charon aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown 
Listening IP addresses: 
192.168.1.55 
2a01:cb10:593:cf00:137:62f2:f7e8:274c 
10.6.0.1 
Connections: 
Peervpn: 192.168.1.55...%any IKEv2 
Peervpn: local: [192.168.1.55] uses pre-shared key authentication 
Peervpn: remote: uses pre-shared key authentication 
Peervpn: child: 192.168.1.0/24 === 10.10.10.0/28 TUNNEL 
Security Associations (0 up, 0 connecting): none 
------------------------------------------------------------------------------------------------ 
sudo swanctl --log 
10[NET] received packet: from 80.14.87.221[58694] to 192.168.1.55[500] (464 bytes) 
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 
10[IKE] 80.14.87.221 is initiating an IKE_SA 
10[IKE] local host is behind NAT, sending keep alives 
10[IKE] remote host is behind NAT 
10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] 
10[NET] sending packet: from 192.168.1.55[500] to 80.14.87.221[58694] (464 bytes) 
14[NET] received packet: from 80.14.87.221[58698] to 192.168.1.55[4500] (304 bytes) 
14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 
14[CFG] looking for peer configs matching 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] 
14[CFG] no matching peer config found 
14[IKE] peer supports MOBIKE 
14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 
14[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58698] (80 bytes) 


------------------------------------------------------------------------------------------------ 
------------------------------------------------------------------------------------------------ 
Don't waste your time with this second syntaxe based on swanctl, if you found how to set the ipconf one 

When using Swanctl.conf with my PUB IP in local_ts, the tunnel seems to be established but not the routing 
Should i make it by hand in place of _updown script or is this tunnel badly set ? 

XXX.XXX.166.2 { 
RemotePeers { 
version = 2 
proposals = aes256-sha256-modp2048 
local_addrs = 192.168.1.55 
pools = rw_pool 
local { # dont know why auth for local... 
auth = psk 
} 
remote { 
auth = psk 
} 
children { 
RemotePeersVPN { 
local_ts = 192.168.1.55,XXX.XXX.166.2 
#local_ts = 192.168.1.55 

# Dont know why cannot find it in /usr/local/libexec but found /usr/lib 
# updown = /usr/local/libexec/ipsec/_updown iptables 
updown = /usr/lib/ipsec/_updown iptables 
} 
} 
} 
} 
pools { 
rw_pool { 
addrs = 10.10.10.0/28 
} 
} 
secrets { 
ike-remote-Peer1 { 
id = myPeer1 
secret = myterriblesecretwithpeer1 
} 
} 
------------------------------------------------------------------------------------------------ 
sudo ipsec statusall 
XXX.XXX.166.2: 
RemotePeers: 192.168.1.55...%any IKEv2 
RemotePeers: local: uses pre-shared key authentication 
RemotePeers: remote: uses pre-shared key authentication 
RemotePeersVPN: child: 192.168.1.55/32 XXX.XXX.166.2/32 === dynamic TUNNEL 
Security Associations (0 up, 0 connecting): none 
------------------------------------------------------------------------------------------------ 
sudo swanctl --log 
12[NET] received packet: from 80.14.87.221[58736] to 192.168.1.55[500] (464 bytes) 
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 
12[IKE] 80.14.87.221 is initiating an IKE_SA 
12[IKE] local host is behind NAT, sending keep alives 
12[IKE] remote host is behind NAT 
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] 
12[NET] sending packet: from 192.168.1.55[500] to 80.14.87.221[58736] (464 bytes) 
10[NET] received packet: from 80.14.87.221[58737] to 192.168.1.55[4500] (304 bytes) 
10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 
10[CFG] looking for peer configs matching 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] 
10[CFG] selected peer config 'RemotePeers' 
10[IKE] authentication of 'myPeer1' with pre-shared key successful 
10[IKE] peer supports MOBIKE 
10[IKE] authentication of 'XXX.XXX.166.2' (myself) with pre-shared key 
10[IKE] IKE_SA RemotePeers[1] established between 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] 
10[IKE] scheduling rekeying in 13593s 
10[IKE] maximum IKE_SA lifetime 15033s 
10[IKE] peer requested virtual IP %any 
10[CFG] assigning new lease to 'myPeer1' 
10[IKE] assigning virtual IP 10.10.10.1 to peer 'myPeer1' 
10[IKE] CHILD_SA RemotePeersVPN{1} established with SPIs ca64039c_i c33dcf71_o and TS XXX.XXX.166.2/32 === 10.10.10.1/32 
10[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ] 
10[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58737] (288 bytes) 
05[IKE] sending keep alive to 80.14.87.221[58737] 
08[NET] received packet: from 80.14.87.221[58737] to 192.168.1.55[4500] (128 bytes) 
08[ENC] parsed INFORMATIONAL request 2 [ N(NATD_S_IP) N(NATD_D_IP) ] 
08[ENC] generating INFORMATIONAL response 2 [ N(NATD_S_IP) N(NATD_D_IP) ] 
08[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58737] (128 bytes) 
---------- 
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.19.66-v7+, armv7l): 
XXX.XXX.166.2: 
RemotePeers: 192.168.1.55...%any IKEv2 
RemotePeers: local: uses pre-shared key authentication 
RemotePeers: remote: uses pre-shared key authentication 
RemotePeersVPN: child: 192.168.1.55/32 XXX.XXX.166.2/32 === dynamic TUNNEL 
Security Associations (1 up, 0 connecting): 
RemotePeers[1]: ESTABLISHED 7 minutes ago, 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] 
RemotePeers[1]: IKEv2 SPIs: 51aac4f5007e70b6_i 88876b56d5d9029d_r*, rekeying in 3 hours 
RemotePeers[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 
RemotePeersVPN{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca64039c_i c33dcf71_o 
RemotePeersVPN{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 47 minutes 
RemotePeersVPN{1}: XXX.XXX.166.2/32 === 10.10.10.1/32 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200330/6bdee815/attachment.html>

More information about the Users mailing list