[strongSwan] failed to configure VPN behind my router

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Mar 30 12:15:54 CEST 2020


Hi,

Some things:
1) Your tunnel only protects traffic between exactly two IP addresses (XXX.XXX.166.2/32 and 10.10.10.1/32), which is probably not what you want.

Looks like the remote peer narrows the TS to the IP addresses instead of the networks you want.
Did you configure the exact networks you require?
2) The iptables/nftables rules also pertain the function of the VPN.
Please provide all data as shown on the HelpRequests[1] page.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 30.03.20 um 11:42 schrieb jl.boussel at laposte.net:
> Hello
> I need to configure a VPN server for road warriors devices
> RW establishes the tunnel and then a local process of the server hosting the stongswan must access to the rw device.
> RW config is preset, i can only change the VPN server IP @ to reach.
> My VPN server is behind my internet acces router with nat and Port forwarding of ports 500/4500
> I must do a stupide error but I cannot make it run
> I looked at samples, i tried both ipsec.conf and swanctl.conf
> with Ipsec.conf , I always fail with no "matching peer config found"
> with swanwctl, I found a way to establish the tunnel, keep alive are exchanged but tunnel seems not be well configured
> (for that I must add my public IP in the local-ts  local_ts  =  192.168.1.55,XXX.XXX.166.2)
> I would appreciate your help
> 
> Peer1  - AccessRouter1wNAT  ==============    MyAccessRouterwithNAT =================== ServerStrongSwan  
>                                         @PUB1                        My at Pub            192.168.1.1(Defgwy)                                 192.168.1.55
>                                                                                                Port Foward (500,4500) =========================>
>         <===========================================    HTTPS over Tunnel     ===================
> 
> ------------------------------------------------------------------------------------------------
> # ipsec.conf - strongSwan IPsec configuration file
> config setup
>         charondebug="all"
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         authby=secret
> conn Peervpn
>         right=%any
>         rightsubnet=10.10.10.0/28
> 
>         #My at PUB=XXX.XXX.166.2    # don't know what to do with my @ Pub
>      
>         left=192.168.1.55
>         leftfirewall=yes
>         leftsubnet=192.168.1.0/24
> 
>         ah=aes256-sha256-modp2048
>         esp=aes256-sha256-modp2048
>         ike=aes256-sha256-modp2048
>         auto=add
> ------------------------------------------------------------------------------------------------
> ipsec.secrets:
> # This file holds shared secrets or RSA private keys for authentication.
> 10.10.10.1 : PSK myterriblesecretwithpeer1
> myPeer1 : PSK myterriblesecretwithpeer1
> ------------------------------------------------------------------------------------------------
> sudo ipsec statusall
> Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.19.66-v7+, armv7l):
>   uptime: 6 seconds, since Mar 30 09:45:02 2020
>   malloc: sbrk 1216512, mmap 0, used 215368, free 1001144
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>   loaded plugins: charon aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown
> Listening IP addresses:
>   192.168.1.55
>   2a01:cb10:593:cf00:137:62f2:f7e8:274c
>   10.6.0.1
> Connections:
>      Peervpn:  192.168.1.55...%any  IKEv2
>      Peervpn:   local:  [192.168.1.55] uses pre-shared key authentication
>      Peervpn:   remote: uses pre-shared key authentication
>      Peervpn:   child:  192.168.1.0/24 === 10.10.10.0/28 TUNNEL
> Security Associations (0 up, 0 connecting):  none
> ------------------------------------------------------------------------------------------------
> sudo swanctl --log
> 10[NET] received packet: from 80.14.87.221[58694] to 192.168.1.55[500] (464 bytes)
> 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> 10[IKE] 80.14.87.221 is initiating an IKE_SA
> 10[IKE] local host is behind NAT, sending keep alives
> 10[IKE] remote host is behind NAT
> 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> 10[NET] sending packet: from 192.168.1.55[500] to 80.14.87.221[58694] (464 bytes)
> 14[NET] received packet: from 80.14.87.221[58698] to 192.168.1.55[4500] (304 bytes)
> 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> 14[CFG] looking for peer configs matching 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1]
> 14[CFG] no matching peer config found
> 14[IKE] peer supports MOBIKE
> 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 14[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58698] (80 bytes)
> 
> 
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
> Don't waste your time with this second syntaxe based on swanctl, if you found how to set the ipconf one
> 
> When using Swanctl.conf with my PUB IP in local_ts, the tunnel seems to be established but not the routing
> Should i make it by hand in place of _updown script or is  this tunnel badly set ?
> 
> XXX.XXX.166.2 {
>    RemotePeers {
>       version = 2
>       proposals = aes256-sha256-modp2048
>       local_addrs  = 192.168.1.55
>       pools = rw_pool
>       local {      # dont know why auth for local...
>          auth = psk
>       }
>       remote {
>          auth = psk
>       }
>       children {
>          RemotePeersVPN {
>             local_ts  =  192.168.1.55,XXX.XXX.166.2
>             #local_ts  =  192.168.1.55
> 
>             # Dont know why cannot find it in /usr/local/libexec but found /usr/lib
>             # updown = /usr/local/libexec/ipsec/_updown iptables
>             updown = /usr/lib/ipsec/_updown iptables
>          }
>       }
>    }
> }
> pools {
>    rw_pool {
>       addrs = 10.10.10.0/28
>    }
> }
> secrets {
>    ike-remote-Peer1 {
>       id = myPeer1
>       secret = myterriblesecretwithpeer1
>    }
> }
> ------------------------------------------------------------------------------------------------
> sudo ipsec statusall
> XXX.XXX.166.2:
>  RemotePeers:  192.168.1.55...%any  IKEv2
>  RemotePeers:   local:  uses pre-shared key authentication
>  RemotePeers:   remote: uses pre-shared key authentication
> RemotePeersVPN:   child:  192.168.1.55/32 XXX.XXX.166.2/32 === dynamic TUNNEL
> Security Associations (0 up, 0 connecting):  none
> ------------------------------------------------------------------------------------------------
> sudo swanctl --log
> 12[NET] received packet: from 80.14.87.221[58736] to 192.168.1.55[500] (464 bytes)
> 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> 12[IKE] 80.14.87.221 is initiating an IKE_SA
> 12[IKE] local host is behind NAT, sending keep alives
> 12[IKE] remote host is behind NAT
> 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> 12[NET] sending packet: from 192.168.1.55[500] to 80.14.87.221[58736] (464 bytes)
> 10[NET] received packet: from 80.14.87.221[58737] to 192.168.1.55[4500] (304 bytes)
> 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> 10[CFG] looking for peer configs matching 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1]
> 10[CFG] selected peer config 'RemotePeers'
> 10[IKE] authentication of 'myPeer1' with pre-shared key successful
> 10[IKE] peer supports MOBIKE
> 10[IKE] authentication of 'XXX.XXX.166.2' (myself) with pre-shared key
> 10[IKE] IKE_SA RemotePeers[1] established between 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1]
> 10[IKE] scheduling rekeying in 13593s
> 10[IKE] maximum IKE_SA lifetime 15033s
> 10[IKE] peer requested virtual IP %any
> 10[CFG] assigning new lease to 'myPeer1'
> 10[IKE] assigning virtual IP 10.10.10.1 to peer 'myPeer1'
> 10[IKE] CHILD_SA RemotePeersVPN{1} established with SPIs ca64039c_i c33dcf71_o and TS XXX.XXX.166.2/32 === 10.10.10.1/32
> 10[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
> 10[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58737] (288 bytes)
> 05[IKE] sending keep alive to 80.14.87.221[58737]
> 08[NET] received packet: from 80.14.87.221[58737] to 192.168.1.55[4500] (128 bytes)
> 08[ENC] parsed INFORMATIONAL request 2 [ N(NATD_S_IP) N(NATD_D_IP) ]
> 08[ENC] generating INFORMATIONAL response 2 [ N(NATD_S_IP) N(NATD_D_IP) ]
> 08[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58737] (128 bytes)
> ----------
> Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.19.66-v7+, armv7l):
> XXX.XXX.166.2:
>  RemotePeers:  192.168.1.55...%any  IKEv2
>  RemotePeers:   local:  uses pre-shared key authentication
>  RemotePeers:   remote: uses pre-shared key authentication
> RemotePeersVPN:   child:  192.168.1.55/32 XXX.XXX.166.2/32 === dynamic TUNNEL
> Security Associations (1 up, 0 connecting):
>  RemotePeers[1]: ESTABLISHED 7 minutes ago, 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1]
>  RemotePeers[1]: IKEv2 SPIs: 51aac4f5007e70b6_i 88876b56d5d9029d_r*, rekeying in 3 hours
>  RemotePeers[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> RemotePeersVPN{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca64039c_i c33dcf71_o
> RemotePeersVPN{1}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 47 minutes
> RemotePeersVPN{1}:   XXX.XXX.166.2/32 === 10.10.10.1/32
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200330/c0847062/attachment.sig>


More information about the Users mailing list